IPv6 and Firewall traversal
Bill Bogstad
bogstad-e+AXbWqSrlAAvxtiuMwx3w at public.gmane.org
Wed Mar 30 11:06:59 EDT 2011
On Wed, Mar 30, 2011 at 10:33 AM, Richard Pieri <Richard.Pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> On Mar 30, 2011, at 10:03 AM, Edward Ned Harvey wrote:
>>
>> One of the barriers to widespread deployment of IPv6 is fear about security.
>> People have come to rely on their IPv4 NAT as a form of inbound packet
>> filter. So moving forward, it seems only natural that (for people who agree
>
> Anyone who relies on NAT for security has almost no network security (see: source IP spoofing). NAT is not, and never has been, about security. It exists to address the limited address space in IPv4 but it is not formally part of IPv4. NAT is, ultimately, a clever hack used to link non-routable networks to routable networks.
Source IP spoofing is only possible when people don't put in
appropriate filters to disallow
packets coming from the outside with the wrong IP address. In a
NATed environment, you
are typically at the 'edge' of the Internet and it is relatively
straightforward to know what
addresses must come from inside your network perimeter vs. the outside. So yes,
NAT all by itself isn't great security. However, it isn't that bad
when you add some
trivially automatable packet filtering. It's big advantage is that
for simple TCP client/server traffic
it 'just works' with arbitrary ports. If you trust your internal
clients to access external
servers, then NAT's automatic 'hole punching' for return traffic is
nice. UDP is another story
and requires more sophisticated hole punching mechanisms which is
usually done at
the same time as IPv4 NAT with NAT-PMP or IGD.
> IPv6 removes this necessity. Thus, no NAT for IPv6. And hopefully there never will be. IPv6 has link-local and site-local addressing, which eliminates the need for segregating non-routable networks. This is built into the specification. For everything else there is SPI.
I'm not sure that I would define SPI as including automatic (or
automatable) hole punching,
but if you do then yes SPI is probably good enough to replace how IPv4
NAT is typically used.
Do all IPv6 SPI implementations have these kind of capabilities? I
really don't know.
Bill Bogstad
More information about the Discuss
mailing list