[ipv6hackers] the end is near (or for IPv6: the beginning)

James Small jim.small at mail.com
Fri Jan 24 17:21:02 CET 2014 

Hi Edward,

NAT is a topic worth of much discussion:

NAT use cases:
* Address Conservation (shouldn't be needed with v6)
* Topology Hiding
* Path Symmetry
* Provide some independence from ISP
* Simple/Limited Multihoming
* Restricts inbound connections (obviously with many limitations)
* Address Family translation

Did I miss any?


NAT Challenges:
* Adds complexity/operational overhead
** With M&A where overlap NAT (source and destination NAT because of
overlapping addresses) is used, usually a specialist must setup and
troubleshoot - more operational expenses, reduced MTTR
* Many applications use embedded addresses which is broken by NAT
* Many applications require ALG to work through NAT
* As applications are upgraded, ALG must be too (almost like an arms
race...)
** Many applications have limited functionality or stop working due to NAT
* Loss of end to end connectivity/visibility
* Makes troubleshooting/auditing/attribution much harder
* Makes establishing communication between endpoints much more difficult

Note:  I'm sure someone will point out that all endpoints are secured by
firewalls.  Firewall changes though can be solved by uPnP or similar
solutions.  Business generally don't have a hard time with firewall rules -
these are well understood.  Most of the communications challenges are from
NAT.

Did I miss any challenges?


> IPv4 stateful firewalls have a heavy reliance on NAT functionality as a
means
> of resolving asymmetric routing issues that would otherwise be problematic
> in otherwise multipath routing environments.

My preference would be to separate the two.  In general though I agree that
NAT is often a solution to solving symmetry problems.  Sometimes it may be
the only solution.  That said - at the Internet edge there are other
solutions such as BGP, LISP, and tunneling.  I have seen companies implement
all 3 of these successfully.


> Proxy devices resolve
> asymmetry as a natural result of explicit proxy functions.  As IPv6
migration
> accelerates, and the adoption of native IPv6 addressing down to endpoints
> becomes predominant, we will begin to see interesting issues arise:
> 
> - A sharp rise in asymmetry issues with stateful firewalls in multipath
> environments

Maybe, maybe not.  I believe this is assuming that we deploy networks the
same way as we do today without changes.  However, there are several things
on the horizon.  VMware for example has a firewall solution with centralized
management but with all enforcement at the endpoint.  This would be one way
to eliminate this issue.  SDN-like solutions will offer similar
capabilities.


> - An increase in direct attacks against IPv6 endpoints, due to the removal
of
> the NAT boundary

So you believe that most people allow inbound traffic by default and that
NAT is the only defense?  I can only say that based on my experience
consulting and teaching in the US this is not what I see.  But I am only one
person...

Also, my understanding of how most nodes are attacked is via
drive-by-downloads.  If I'm an attacker, I compromise a prominent Internet
site and let it infect visitors.  So you're saying IPv6 will change this?
If so, I'm not following.  This tactic will still work well.  If I'm an
attacker, why fix something that isn't broken?


> - A strong effort to deploy NAT66 (RFC 6296) for use in FW/CGN boundaries

For who?  Are you talking carriers/ISPs or businesses?  What problem do you
see organizations trying to solve with NAT66?  What is the value derived
from deploying this?  You believe security practitioners will see this as
improving their posture?


> - A resurgence of proxy-based security

I think this depends on the audience.  Proxies seem to be somewhat popular
in the US Fortune 100 and I've heard they are popular in Europe (though I
can't speak to this first hand).  However, in the general US market they are
uncommon.  Also, last I heard for the US, bandwidth is growing at over
20%/year.  Buying expensive proxies and backhauling your traffic seems to be
more and more cost prohibitive.  What I've seen is the opposite, companies
are starting to move away from this architecture.  You think with "cloud" or
service provider solutions or some new technology this will work in a
financially appealing way?


> - The need to resolve asymmetry will be is exacerbated by the deployment
> of IPv6 anycast services

Why is this different from the general asymmetry problems at the network
edge?


> With the recent allegations that the NSA TAO has compromised a number of
> commercial stateful firewall systems, I would think that more intelligent
> organizations will be reconsidering their network security strategies in
their
> migration plans to IPv6

I sure hope everyone deploying IPv6 re-evaluates their security!

Looking forward to hearing your thoughts on this,
  --Jim

More information about the Ipv6hackers mailing list