IPv6 enterprise security - The NAT Returns


Published on

This is a preliminary presentation on the requirement of NAT for enterprise deployment

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IPv6 enterprise security - The NAT Returns

  1. 1. IPv6 Enterprise Security: The NAT Returns Sanjeev Gupta Vice-Chairman IPv6 Forum (Singapore) sanjeev@dcs1.biz
  2. 2. IPv6 Review  It will happen  In our careers  In our ISPs  In our enterprises  On our consumer devices  In things we cannot think of yet.
  3. 3. IPv6 Review  It is happening  ISPs are turning it on, to offload traffic from IPv4  Alternative is to run CGN or NAT 444, both of which are expensive, and short- term  31% of Verizon Mobile traffic is over IPv6, with users not realizing (Apr 2013)  Your “enterprise” OS have it turned on!
  4. 4. IPv6 Review  Recent news  Starhub has turned on 6to4 on MaxOnline, so your home router has IPv6  And without your knowledge, therefore, so may your home PC  So what is IPv6, and how does it differ from IPv4?
  5. 5. IPv6 vis-à-vis IPv4  Some things remain the same  The concepts of Routing, Networks, and the 7- layer OSI Stack. Firewalls, TCP, UDP, all remain the same.  Enough things change  The definitions of default routers  Address assignments  Neighbour Discovery  And the entire language changes …
  6. 6. IPv6 vis-à-vis IPv4  Examples of minor changes  Cisco: show ip becomes show ipv6  Examples of major changes  Multicast  Need to understand Scopes  Multiple ways to write the same IPv6 address  2405:FC00:0000:0000:0000:0876:0001:0053  2405:FC00:0:0:0:876:1:53  2405:FC00::876:1:53  IPv6 devices will autoconfigure magically!
  7. 7. IPv6 Security Implications  Autoconfiguration  As devices set themselves up, they will start talking to each other, even when you may not want them too.  Routers get discovered, and used.  Multiple Routers on a link are not only possible, they are likely  Network discovery is easier, which may be good or bad.
  8. 8. IPv6 Security Implications  Rouge Routers  Similar to the problem of rouge DHCP servers in IPv4  A rouge router can override your real router  Reasonably easy to setup MITM with SLAAC  DAD conflicts  A rouge host can use DAD to block any other host from assigning an IP address.
  9. 9. IPv6 Security Implications  Global Routability  Since we have as many IPv6 addresses as we need, we would like (and are encouraged) to use Globally Routable Unicast Addresses  Hence, we say goodbye to the RFC1918 addresses  But this opens up a massive hole on our edge!
  10. 10. IPv6 and NAT  NAT is generally a bad thing  Everyone says this, from the IETF to me!  NAT breaks many things, and makes some protocols harder to run or debug  SIP: STUN, ICE  VNC: Teamviewer, etc  Even FTP and multi-player games  But NAT is good for one thing: a “default deny incoming” policy.
  11. 11. IPv6 and NAT  Default Deny: we allow all outgoing (and related), we deny all incoming  Why do we need this? Because host firewalls are mis-configured, non-auditable, or non-existant  Currently, anyone with a server/listener on their host, cannot have packets routed in from the Internet: RFC1918 is non-routable  Most SME IT managers cannot manage a stateful FW, the number of rules would be impossible to track part-time.
  12. 12. IPv6 and NAT  One solution (the simple and correct one) is to use host-based firewalls  This works for your Server, PC, Laptop  Does your Network Printer have a firewall?  Does your Attendance Fingerprint Scanner?  Alternative is to implement rules on your edge firewall  With SLAAC, do you know what the printer’s current IPv6 address(es)  Do you know your CFO’s?
  13. 13. IPv6 and NAT  Alternative 1:  Turn off SLAAC, either use manual addressing(!) or DHCPv6  Maintain rule tables in firewall, and spend all day opening and closing ports (there are lots of them)  BTW: make sure no one has admin control over his laptop, he might change his IP address.
  14. 14. IPv6 and NAT  Alternative 2:  Use Unique Local Addresses (ULA)  Pick a 48-bit number randomly (1111:2222:3333)  Concatanate to fd00::/8, to get a 64-bit prefix (fd00:1111:2222:3333::/64)  SLAAC away!  FD00 is reasonably unique, but non- routable  NAT away (as you have been doing) between your Global IPv6 address (singular) and the ULAs inside.
  15. 15. IPv6 and NAT  Alternative 2 (cont):  Do a 1-to-1 NAT  NAT away (as you have been doing) between your Global IPv6 address (singular or subnet) and the ULAs inside  Deny all incoming, except explicitly decided  You can examine Ports, or not  If your Global range changes, when you change ISPs, you do not need to reconfigure the LAN  Security becomes managable, again.
  16. 16. IPv6 and NAT  Disadvantages of #2 (ULA+NAT) over #1  You are still not Edge-to-Edge, which was a major driver for IPv6  You will be sneered at by your smarter colleagues  BitTorrent will be slower  People running servers need to come talk to you.
  17. 17. IPv6 and NAT  Advantages of #2 (ULA+NAT) over #1  Your old model of NAT being Firewall works  Default deny for incoming (Local addresses, even if they leak out, will not be routed by your ISP)  Your printer is cleanly visible inside your network, yet not accesible from the outside  You can use SLAAC!!!  You do not need PI address space, you can use your ISPs, avoid renumbering  People running servers need to come talk to you.
  18. 18. IPv6 and NAT: The Sequel  In an ideal world, we would do away NAT   But in an ideal world, we would not need Firewalls   It is very likely that NAT will remain, but in newer guises  Maybe NAT64? NAT46? NAT66?  Just when you thought he was dead, he returned!
  19. 19. Freddy Krueger returns!