IPv6 Enterprise Security - The Nat Returns


Published on

Will we still need NAT at our edge for IPv6 deployment?

It is an oft-repeated statement that NAT is an artefact of IPv4 address space shortage, and that will not be required in IPv6 deployment. The ability to give each host a publicly-routable address, and achieve end-to-end connectivity is touted as a notable benefit of IPv6. Network engineers have traditionally looked at NAT as an evil, which complicates deployment and operations.

The presentation was prepared by Mr Sanjeev Gupta, The Vice Chairman of IPv6 Forum (Singapore Chapter) for The Information Security Seminar 2013. For more information on the event, please visit https://www.isseminar2013.sg/index.php.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

IPv6 Enterprise Security - The Nat Returns

  1. 1. IPv6 Enterprise Security: The NAT Returns Sanjeev Gupta Vice-Chairman IPv6 Forum (Singapore) sanjeev@dcs1.biz
  2. 2. IPv6 Review  It will happen  In our careers  In our ISPs  In our enterprises  On our consumer devices  In things we cannot think of yet.
  3. 3. IPv6 Review  It is happening  ISPs are turning it on, to offload traffic from IPv4  Alternative is to run CGN or NAT 444, both of which are expensive, and short- term  31% of Verizon Mobile traffic is over IPv6, with users not realizing (Apr 2013)  Your “enterprise” OS have it turned on!
  4. 4. IPv6 Review  Recent news  Starhub has turned on 6to4 on MaxOnline, so your home router has IPv6  And without your knowledge, therefore, so may your home PC  So what is IPv6, and how does it differ from IPv4?
  5. 5. IPv6 vis-à-vis IPv4  Some things remain the same  The concepts of Routing, Networks, and the 7- layer OSI Stack. Firewalls, TCP, UDP, all remain the same.  Enough things change  The definitions of default routers  Address assignments  Neighbour Discovery  And the entire language changes …
  6. 6. IPv6 vis-à-vis IPv4  Examples of minor changes  Cisco: show ip becomes show ipv6  Examples of major changes  Multicast  Need to understand Scopes  Multiple ways to write the same IPv6 address  2405:FC00:0000:0000:0000:0876:0001:0053  2405:FC00:0:0:0:876:1:53  2405:FC00::876:1:53  IPv6 devices will autoconfigure magically!
  7. 7. IPv6 Security Implications  Autoconfiguration  As devices set themselves up, they will start talking to each other, even when you may not want them too.  Routers get discovered, and used.  Multiple Routers on a link are not only possible, they are likely  Network discovery is easier, which may be good or bad.
  8. 8. IPv6 Security Implications  Rouge Routers  Similar to the problem of rouge DHCP servers in IPv4  A rouge router can override your real router  Reasonably easy to setup MITM with SLAAC  DAD conflicts  A rouge host can use DAD to block any other host from assigning an IP address.
  9. 9. IPv6 Security Implications  Global Routability  Since we have as many IPv6 addresses as we need, we would like (and are encouraged) to use Globally Routable Unicast Addresses  Hence, we say goodbye to the RFC1918 addresses  But this opens up a massive hole on our edge!
  10. 10. IPv6 and NAT  NAT is generally a bad thing  Everyone says this, from the IETF to me!  NAT breaks many things, and makes some protocols harder to run or debug  SIP: STUN, ICE  VNC: Teamviewer, etc  Even FTP and multi-player games  But NAT is good for one thing: a “default deny incoming” policy.
  11. 11. IPv6 and NAT  Default Deny: we allow all outgoing (and related), we deny all incoming  Why do we need this? Because host firewalls are mis-configured, non-auditable, or non-existant  Currently, anyone with a server/listener on their host, cannot have packets routed in from the Internet: RFC1918 is non-routable  Most SME IT managers cannot manage a stateful FW, the number of rules would be impossible to track part-time.
  12. 12. IPv6 and NAT  One solution (the simple and correct one) is to use host-based firewalls  This works for your Server, PC, Laptop  Does your Network Printer have a firewall?  Does your Attendance Fingerprint Scanner?  Alternative is to implement rules on your edge firewall  With SLAAC, do you know what the printer’s current IPv6 address(es)  Do you know your CFO’s?
  13. 13. IPv6 and NAT  Alternative 1:  Turn off SLAAC, either use manual addressing(!) or DHCPv6  Maintain rule tables in firewall, and spend all day opening and closing ports (there are lots of them)  BTW: make sure no one has admin control over his laptop, he might change his IP address.
  14. 14. IPv6 and NAT  Alternative 2:  Use Unique Local Addresses (ULA)  Pick a 48-bit number randomly (1111:2222:3333)  Concatanate to fd00::/8, to get a 64-bit prefix (fd00:1111:2222:3333::/64)  SLAAC away!  FD00 is reasonably unique, but non- routable  NAT away (as you have been doing) between your Global IPv6 address (singular) and the ULAs inside.
  15. 15. IPv6 and NAT  Alternative 2 (cont):  Do a 1-to-1 NAT  NAT away (as you have been doing) between your Global IPv6 address (singular or subnet) and the ULAs inside  Deny all incoming, except explicitly decided  You can examine Ports, or not  If your Global range changes, when you change ISPs, you do not need to reconfigure the LAN  Security becomes managable, again.
  16. 16. IPv6 and NAT  Disadvantages of #2 (ULA+NAT) over #1  You are still not Edge-to-Edge, which was a major driver for IPv6  You will be sneered at by your smarter colleagues  BitTorrent will be slower  People running servers need to come talk to you.
  17. 17. IPv6 and NAT  Advantages of #2 (ULA+NAT) over #1  Your old model of NAT being Firewall works  Default deny for incoming (Local addresses, even if they leak out, will not be routed by your ISP)  Your printer is cleanly visible inside your network, yet not accesible from the outside  You can use SLAAC!!!  You do not need PI address space, you can use your ISPs, avoid renumbering  People running servers need to come talk to you.
  18. 18. IPv6 and NAT: The Sequel  In an ideal world, we would do away NAT   But in an ideal world, we would not need Firewalls   It is very likely that NAT will remain, but in newer guises  Maybe NAT64? NAT46? NAT66?  Just when you thought he was dead, he returned!
  19. 19. Freddy Krueger returns!