Edit 2020-01-14 22:51 EST: Added precision that the IPv4 screenshot is with NAPT enabled, and IPv6 is globally addressable.
I’m going to try to address some worries that could come from globally addressable IPv6 addresses.
I didn’t want this post to be long, but I just wanted to share the knowledge. And knowledge is known to be power
What’s NAPT (for those that never came across the term)
NAPT stands for
Network Address and Port Translation.
It’s the most prevalent form of
Network Address Translation. In NAPT, both the IPv4 address and port are rewritten.
In pure NAT, only the IPv4 address is changed, so if a port should be in use, your connection would fail using that port.
On hardcoded addresses
All devices have a hardcoded “IPv6 address.” It’s actually the MAC address.
The IPv6 stack uses the MAC address to build the link-local (private) IPv6 address, used for the communication on the local LAN. It’s always in the
fe80::/10 subnet, on any given network.
Most devices I’ve run across don’t use the hardcoded address, but generate a dynamic one instead to avoid conflicts.
It is also sometimes used to build the global address, but most major software developers changed that behaviour a long time ago to generate a dynamic global IPv6 address instead with another temporary address for transient communications.
The global prefix is most likely provided by the ISP, or RIR if you’re in a large enough enterprise. My ISP assigns me a /56, giving me 8 bits for subnetting. For each subnet, the prefix is a /64 (per RFC standard).
The second 64-bit half of the 128-bit address comes from the device itself whether dynamically constructed or hardcoded from the MAC address.
You can’t communicate with the Internet without a properly assigned global address, it just does not work because of the router’s routing table.
Thus, an IoT device manufacturer can’t simply hardcode a globally accessible IPv6 address for their device unless they tunnel it to their own network. Something they could do over IPv4 as well. This scenario would be an outgoing connection in either protocol.
On UPnP
I don’t think UPnP and NAT-PMP are available on IPv6. PCP, which succeeded NAT-PMP, is.
I have UPnP/NAT-PMP disabled, so no experience there, but it would be the same approach on both protocols.
On attack surface
Having a single IPv4 address with NAPT or an IPv6 global subnet doesn’t really change the necessary precautions. As a baseline, you need the exact same rules for both, except for ICMPv6 that will be necessary for proper connectivity. You could even run an entire IPv4 network without NAPT and be as secure as a NAPT network.
I’m attaching screenshots at the bottom of the post with my inbound rules for both IPv4 and IPv6. IPv4 is with NAPT, and IPv6 is globally addressable.
There’s nothing secret there, since I don’t allow any WAN traffic inside except for
ICMPv4 Echo to monitor my Internet connection—my monitoring provider only does IPv4 for now.
In light grey are the default gateway rules, and there’s a default
deny all rule that’s not pictured. I can confirm it by running
iptables -vnL
or
ip6tables -vnL
on my gateway.
The default ICMPv6 rules are the minimal requirements for IPv6 to work, as that’s how a device receives the dynamic network configuration. It’s DHCP for an IPv6 world; DHCPv6 does not behave the same way as DHCPv4, so there is a learning curve there.
Summary on this entire point: your risk assessment over IPv6 is the same as IPv4. The only lost “feature” is the NAPT’s security by obscurity.
On port forwarding
Should I need to open a port, I would punch a hole in my IPv6 firewall for the specific destination IP address and transport layer port
Not much more complicated than that.
Let’s say I want to open port 443/tcp (non-negotiable) for two different dual-stack devices:
- NAPT IPv4: With one IPv4 global address NAPT, that’s not possible. You can do it on two IPv4 global address NAPT and configure port forwarding for your destinations on your firewall.
- Globally addressable IPv4 or IPv6: You configure your firewall to allow connection to destination IP address 1 and destination IP address 2 on protocol TCP and port 443.
In both cases, you can put elaborate rules, the connection must be over TLS, from this IP address, etc. No huge changes there
But it is much easier to understand what's going on underneath, and it really does what you tell it to. You don’t even need those NAT helpers to allow certain protocols to function.