The InfoSec Blog
5Aug/10

IPv6 vs NAT

NAT categorization according to RFC 3489
Image via Wikipedia

I'm allergic to absolutes.
In particular absolute statements.

So when someone says

NAT is *NOT* a security solution.

I bristle.

Many of the anti-NAT brigade are actually decrying it since they think IPv6 should be used instead.
Personally I thing many home users can get their heads around NAT but not IPv6.
Those cheap Wifi Routers with built-in NAT they buy from Best Buy are really "plug and play" things; they require no setup. To convert to IPv6 will require a lot more knowledge.

For IPv6 you will need to set up a proper firewall since one of the "good things" about IPv6 is that the massive address space means every device is individually addressable. THis may be a bit beyond Joe Sixpack.

NAT is just a coping mechanism for IPv4's constrained address space

Well yes, but that's not the point.
The IPv4 address space has been suffering from the 'the sky is falling' doomsayers since I set up Ontario's first commercial ISP back in 1989. Every tie there is a quiet spot in the news the technical journalist drag out this issue and kill a few more acres of trees about it.

NAT does not "hide" computers. Capture a NAT'd stream of traffic and it
isn't very hard to separate the conversations of multiple computers
behind the NAT.

Actually it dies hide things.
The out-of-the-box setting on a NAT Wifi router mean that it rejects all incoming REQs. It proxies outgoing connections, so any traffic has to be initiated fro the inside. Yes, you can over-ride this.

NAT does nothing at all, except break things.

NAT doesn't 'break things'. What it does is use unrouteable addresses.
The original model of the 'Net had no provision for security and the idea was that every node (aka address) should be routable and hence addressable by every other address. That is what you mean by "the way IP is supposed to work".

Which is a bit like saying "two's compliment arithmetic is the way computers are supposed to work". Or "linear address spaces are the way computers are supposed to work".

And it makes no sense.

In olden days before the IP protocols were ubiquitous, LANs had their own protocols: Novel, Microsoft and others. all had their own protocols that ran on Ethernet or TokenRing. To talk to the world they needed an 'protocol translator' that encapsulated or translated (depending on the remote endpoint) the local packets for transmission over the Internet. The 'local' IP address was that of the NAT and it hid the internal addresses. That the internal addresses were not IP addresses was the whole point.

So now e have an updated version, Its still a NAT and it still hides addresses.

The thing is that NAT renders a subnet inaccessible to the 'Net at large because the addresses on it are unroutable anyway. That's not 'breaking', that's a lazy way of filtering. Unless you have tunnels or exceptions (which most NAT'ing devices allow for) that is equivalent to a firewall with a "DENY ALL INCOMING REQUESTS" policy. Yes its not a firewall in that it it doesn't do a lot of other things a firewall could and should, but that doesn't mean its not a security barrier. A lazy one, and incomplete one, one that can't be trusted, but then the same can be said about locking your front door when a good kick can break the frame or a burglar can break a window.

The unroutable subnets were not *intended* as an address exhaustion deerment mechanism. That was unintended side effect that has taken over - the tail that is wagging the dog - and yes, has impeded the acceptance of IPV6. Vendors saw how they could "add features" and as far as Joe Sixpack goes

Please do not attribute intent where there is not one.

As for security and filtering of IPV6 addresses ... Don't make me laugh.
The malware of today does not rely on machines 'raw' on the net unfiltered anyway . The ones behind NAT, the ones behind filters, can still download malware and one running that malware can still 'tunnel' out to 'Net, report keylogging and form Botnets. IPV6 and filtering won't stop that any more than NAT or IPV4 and firewalls and filters ever did. Its not a packet or address level problem.

A completely different set of tools is needed for that security.

I also object to the absolute implied in saying "NAT is not security solution". That's trite and unhelpful. AV is not a security solution; deep packet inspection filtering is no a security solution; proxies are not a security solution; user awareness is not a security solution; whitelisting is not
a security solution. All these and more are just components that can be used to improve your security stance.

A simple NAT'ing router has value to Joe Sixpack for many reasons.
For him it means he doesn't have to argue with his ISP to get a (ever scarcer) subnet, doesn't have to acquire the technical expertise to manage it and does' have to pay the ISP or all those extra addresses. From his POV it simply lets him connect his, his wife's and his kid's computers to the 'Net. He doesn't know about IPV4 or IPV6. He doesn't care either. He paid his - somewhere between $10 and $60 - for the router and as far as he's concerned its 'plug and play'[1].

A 'solution' of making him use IPV6 means he's going to have to get and manage a subnet. That there's plenty to go round is beside the point. Joe Sixpack bought that NAT router to avoid needing the technical knowledge that you and I take for granted. What he's going to do is wait until a vendor comes up with another 'box' that does it all invisibly for him. And the vendors are used to selling based on features, like NAT, like DHCP. Like making it easy for Joe.

And do you imagine they will let go of NAT? Joe is used to certain keywords. The stuff he's bought in the past with those 'features' works fine so he's going to seek them out again. What do you want to bet the next generation of IPV6 'routers' targeted at the home market (where there are an enormous number of potential customers) will see "more of the same"?

[1] Well, OK, maybe he was foolish enough to get a wireless router for
less than $10 on eBay perhaps, and then he's got a whole pile of
other security problems, but tat has nothing to do with IPV4, IPV6
or NAT.

Enhanced by Zemanta

Posted by Anton Aylward

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.