32 comments

[ 3.1 ms ] story [ 242 ms ] thread
This was interesting but got me thinking about a problem I encountered at work. Is it possible to create two bridges out of one namespace so that two separate programs can receive the same network traffic?
This seems to take the long way around. I wonder why they didn't consider just using the firewall to control network traffic; unless you really need your applications to be completely unaware of IPv6, but so far, I've not experienced that problem.

Also, requiring root privileges for launch is a bit of a burden in some use-case scenarios.

Not exactly a common use case or linux related but my Red Alert 2 game patched for tcp/ip instead of IPX support it shipped with will only let you into LAN game lobbies on ipv6, you can't see any games to join. ipv4 and it works like a charm.

My point is just that I'm sure some very very weird stuff can happen with software.

(comment deleted)
> "The main problem is to secure an IPv6 network which is much more complicated than using a typical IPv4 network consisting of a router and several devices behind it."

Does anyone know why this is the case? I'm not a network security expert but to me I don't see how IPv4/v6 makes a different in terms of security. I'd assume that each computer on the network could most likely be assigned a public IPv6 address rather than using NAT in which case how is configuring your perimeter firewall to drop incoming connections by default any different from not having any port forwarding setup by default? Even your average domestic router has some sort of basic firewall built in.

I agree - that line from the article makes no sense. Not having NAT is awesome because NAT is a nasty hack that doesn't add any security.

The tunnelling scenario is valid though - because they add quite a bit of latency so you might not want to use it for everything.

What's the point of assigning an address to every node on the Internet if you can't connect to these addresses.

The advantage of IPv6 is that any computer can act as a server again. NAT makes it unnecessarily difficult to build simple peer to peer applications such as for telephony, remote access or file transfer.

There is nothing special about firewalling off IPv6. NAT is not a security feature. The problem is that most consumer "routers" that people use nowadays are really: a router, a switch, a wireless access point, a firewall, and who knows what else. Here are some sample rules for firewalling off IPv4 (typed from memory, so use with caution):

  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
  iptables -A INPUT -p icmp -j ACCEPT
  iptables -A INPUT -j DROP
  
  iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
  iptables -A FORWARD -p icmp -j ACCEPT
  iptables -A FORWARD -j DROP
Here are the IPv6 rules:

  ip6tables -A INPUT -i lo -j ACCEPT
  ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  ip6tables -A INPUT -s 2001:xx:xx:xx::/64 -j ACCEPT
  ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
  ip6tables -A INPUT -j DROP
  
  ip6tables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  ip6tables -A FORWARD -s 2001:xx:xx:xx::/64 -j ACCEPT
  ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
  ip6tables -A FORWARD -j DROP
Does that look like it would be hard to do? Your router should come with these rules already. If it does not, ditch it and buy one that is supported by OpenWRT, where IPv6 support is not a second class citizen.

Edit: Naturally, IPv4 rules would have to be more complicated since you'll want to have your NAT setup in there. In this way, configuring IPv6 is actually easier :). Also, a real router would have rules set up for throttling certain types of traffic (e.g.: you don't want more than, say, 1000 ICMP messages per second). However, all those steps are identical for IPv6.

(comment deleted)
> NAT is not a security feature.

Why?

Because it was never intended as such and does not necessarily need to add any. The fact that many NAT implementations do add some security (by dropping inbound connections by default) is a side effect. I've seen NAT implementations that get it precisely wrong (consumer routers that set up .2 as the default DMZ), but that's still entirely valid.
Whether or not NAT was designed with security in mind doesn't matter.

Using NAT increases security simply by having deny by default.

But that is not a feature of NAT, that is a feature of a firewall (for example, it is possible to route incoming packets via the WAN as well as masquerade outgoing ones from the LAN - most people wouldn't even know their pants are down). It is a coincidence that home routers sometimes provide both leading people to conflate their firewall with their NAT system - but if a firewall is what is wanted (and is arguably the only valuable component), NAT is not the thing to ask for. Conflating NAT with firewalls also promotes the idea that NAT has a place in any network with abundant addresses. IMHO, it does not.
NAT will always have a place, because not everyone wants to expose a uniquely routable address for every device they own (probably based on a device's MAC address) to the world.
Can you give an example that isn't based on security (since the NAT isn't providing that)? I can only think of short-term (undesirable) transition or load-balancing mechanisms - all of which have better long-term solutions (anycast, multicast, and dynamic service discovery, etc)...
What's with the widespread fixation against attributing any positive security attributes to Network Address Translation? It's like the old warning about NAT not being enough to protect a private network got cargo culted into a universal anti-NAT maxim.

What would you call it when a router at the edge of a private network presents a single IP to the world no matter how many devices are behind it, for privacy reasons?

"What's with the widespread fixation against attributing any positive security attributes to Network Address Translation"

It probably has something to do with NAT being a huge obstacle later, when needs change. For example, while it might make sense at one point to have multiple hosts appear as one, it is at the expense of direct addressability, and the workaround - having a unique address+port combination - makes less sense than having a unique directly-routable address.

"What would you call it when a router at the edge of a private network presents a single IP to the world no matter how many devices are behind it, for privacy reasons?"

The wrong tool for the job. :)

The privacy is gained not by translation but by blocking direct connections (which is a feature of a firewall - not of NAT). While there is some value in NAT's ability to falsify the origin of data - ie, to take credit for non-local flows - but if those applications ever grow they will be fighting to escape the single address of NAT and are thus only suitable in the short term. Ideally, NAT would go unused because every element is uniquely addressable and fully independent... Most people would not consider someone else who continually takes credit for their or someone else's work to be a feature, and so it is with NAT.

I'm thinking more in terms of consumer networks. I really don't want my ISP to know exactly which devices I'm using or how many, nor do I want to have every web site be able to track them by globally routable IPv6 address everywhere I go. Simply blocking incoming connections doesn't solve that.

Taking credit for someone else's work is not a useful analogy for NAT, nor are the corresponding moral implications relevant.

"nor do I want to have every web site be able to track them by globally routable IPv6 address everywhere I go."

So, you would rather use one address for everything, making it easy as pie to track you? You can pretty much pick IPv6 addresses at random (under your router prefix), and you have (many many many) more addresses than the whole IPv4 address space to choose from (it's a 128 bit address space and providers typically give a /48, /56, or /64 prefix at worst... that's 128-64=64 bits... that's 2^63.9999... more addresses than IPv4). In short, you don't really "map" the IPv6 space the same way you do the IPv4 space.

Taking credit for someone else's work very much is a useful analogy: if I can only speak through a third party, and I need that third party's permission to speak, let alone be spoken to, I quickly resent him or her. This is quite the case with current NAT solutions, with system administrators restricting "their" networks, making communication difficult for everyone else (by holding the only globally-routable address or "allocating" only a few; everyone else is second-class).

The simple and much more flexible answer to this is to have a firewall rule on the edge router that simply drops all packets to and from the hosts you do not want visible. Note that this is more flexible in that if you want some hosts visible and some not, you can do that. You cannot do that with NAT: you only have one port 80 and several servers for example.

In general, use the right tool for the job. NAT provides some blunt security features incidentally. It does not, for example, prevent your server from making connections to the outside world. The firewall is what is meant to be used to restrict traffic. That is its only job and it does that well.

No, using a firewall increases security. It just so happens that most routers which do NAT, also have a firewall. You are, in my opinion, confusing two functions provided by one device.

I'm willing to bet that any IPv6 capable router also has a firewall.

That doesn't increase security unless your baseline is broken. All NAT is potentially replacing from a security perspective is a single default drop (or default reject) rule, which should have been there to start with.

While it could be argued that NAT adds an extra layer to security-in-depth by making it harder to accidentally open things up by missing out the default drop/reject rule, but I'd argue that all the faf that NAT can create by making it difficult to arrange point-to-point connections where they are actually desirable is not worth that little bit of protection against failing to configure the firewall correctly.

Security aside, this is even useful for new deployments of IPv6. It seems a lot of people have IPv6 networks that are less favorable for some traffic than their IPv4 networks. Some are running their IPv6 through tunnels. As soon as you enable IPv6 on your desktop, suddenly Firefox or Chromium will prefer IPv6 for any website with a AAAA record, which adds a ton of latency and reduces bandwidth.

But theoretically, I could enable IPv6 for sshd (where I stand the most benefit) and leave it off for wget and browsers with this.

IPv6 is no longer necessarily preferred due to happy eyeballs. http://tools.ietf.org/html/rfc6555
I did something independent of happy eyeballs (I consider my implementation actually superior in some ways as it aims to improve connection latency on all networks), but when I tried to get in front of some browser developers (by posting on HN), I was told by a Chrome networking dev that they tried it and decided that it wasn't worth it. He cited something about how the performance was actually worse than before. The impression that I got was that Happy Eyeballs was not actually widely adopted.
At home my HE tunnel is snappier than the plain ipv4 from rr. The weird thing is it is not just a case of user perception (mine). One of the upstream s1 ntp boxes I sync with has ipv4 and ipv6 and is relatively close. I set one of my s1s to sync with both the ipv4 and ipv6 addresses of the machine and the ipv4 clock displayed a lower delay and less jitter while the offsets were seasonably close.
argh, for posterity's sake the last line should read:

"the ipv6 peer entry displayed a lower delay and less jitter while the offsets were reasonably close."

You can always just drop ipv6 packets for certain destination ports (eg 80) with iptables if you know the application (like a browser) will be ok. Which is much simpler.
On this subject, sort of, if I want to dump the commercial routers and replace with eithe a Linux install on a commercial router or a x86 box that is not too chunky / loud Where do I go for readme and instructions and community?

I can find some old Linux on linksys sites but not a lot recently

If you with the commercial router route, checkout OpenWRT / DD-WRT / Tomato. There are several forks, so depending on what features you want, and what hardware you have, you may opt for a different version. If you go with an existing x86/amd64, just install your favorite distro and start reading up on iptables configuration and management. While iptables to be quite powerful in terms of features, I find its' syntax is painful. There are several projets aiming to simplify this, by generating rules from another, simpler, DSL but it adds complexity. This is why I prefer PF, but that requires you to install OpenBSD instead of Linux. If you know your way around UNIX, and are ready to read up the FAQ and man pages, this shouldn't be a problem :).