[Re: #820] NAT firewall is not the only kind of firewall!

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Larger Font Styles
    Guest:

    Just a quick heads-up that I've implemented larger font variants of our forum's light and dark page styles. You can select the style of your choice by scrolling to the footer of any page here. This might be more comfortable (it is for me) for those with high-resolution displays where the standard fonts, while permitting a lot of text to fit on the screen, might be uncomfortably small.

    (You can permanently dismiss this notification with the “X” at the upper right.)

    /Steve.

doopy

Member
Jun 7, 2021
24
5
This is my first post so hello everyone. I've been meaning to make an account here ever since the forums were first announced but never got around to it. I was listening to #820 today and Steve brought up one of my biggest pet peeves, so I was like, "that's it, I'm signing up and writing a pedantic rage post about this", haha. I'm sure most people will agree with Steve on this, but most importantly, I hope someone finds it informative nonetheless.


#820 transcript, pp. 10
The nutty IP purists, with their heads well positioned far up their you-know-whats, where the sun don't shine, have always decried the use of NAT. They say that the Internet was designed for every device to be directly addressable and accessible to every other. Well, thank god that never happened. Just because every IPv6 user will be receiving their own personal 64,000 IPv6 address space, don't ever consider directly mapping those external IPs through to your devices on the inside. [...] The last thing we need is to step out from behind the protection of those billions of little hardware firewalls that everyone is using today.
This paragraph implies a few different things:
  1. That NAT is a firewall, a firewall is NAT, and without NAT you have no firewall.
  2. That in IPv6 is insecure because there is no NAT and therefore no firewall and therefore everything is exposed.
  3. That publicly addressable (basically) means publicly accessible.
  4. That some kind of mapping between internal and external IPv6 addresses would make IPv6 more secure.
First and foremost, you can still have a firewall on an IPv6 network without using any kind of NAT. You may be surprised to learn that nearly every IPv6-capable router ships with an IPv6 firewall enabled by default. Even the cheap little $30 Linksys 802.11n 10/100mbps router I bought for a project a few months ago had an IPv6 firewall enabled by default. The same is true of aftermarket firmwares like dd-wrt and OpenWRT, too. (There probably are some out there that had the firewall off by default, I wouldn't be surprised, but if you know of any I'd be interested in hearing which ones.)

How is this possible, you might ask?

SPI. Stateful packet inspection. The router watches for outbound connections, and permits returning traffic from the destination address and port back to the source address and port. However, it will drop unsolicited packets and inbound connections, even though they are addressed to an internal host's global IPv6 address. Unlike IPv4 NAT, the router *could* forward unsolicited packets into the internal LAN, since every host has a global IPv6 address. However, it simply *chooses* not to, as a matter of security policy. The router simply drops the packet, and the sender never hears back (i.e. the port is "stealth"). It's very similar to the way a software firewall protects an individual machine from other hosts on the LAN; in this case it works the same for IPv6 and IPv4.

SPI firewalls have been around at least as long as NAT, probably longer. In the early days, when your family had one computer and it was plugged right into the modem, you may have had an SPI firewall, but chances are you had to buy it, or at least enable it, on your own. The threats weren't as well understood back then. Consumers, and therefore vendors too, favored compatability over security, and shipped firewalls disabled by default (or not at all). After all, you wouldn't want your early-2000's peer-to-peer filesharing programs to stop working because of some stupid "outbound-connections-only" firewall, would you?

Then came NAT, thanks to IPv4 address exhaustion. The only difference is that NAT itself behaves much like a firewall that cannot be turned off. This of course was by accident, as NAT was never really designed to be a security feature. Its only purpose was to more effciently utilize public IPv4 address space. So it's no surprise that NAT has brought about its own "security" vulnerabilities. UPnP, Slipstreaming, and so on. I admit, though, the accidental security provided by NAT in practice was kind of a blessing, in a "doing the right thing for the wrong reasons" kind of way.

That being said, times have changed. Today, firewalls are enabled by default, and they're just as effective as NAT, although many people are still afraid of IPv6 for whatever reason. You might be wondering... well then how does IPv6 make the situation any better than it is/was with NAT? If the SPI firewall is blocking incoming connections, then we still have to put up with port forwarding, port holepunching, etc.

Arguably it doesn't, except maybe for hosting companies and perhaps some corporate networks, where you're hosting a large number of servers all on port 443, for example. The thing is, as long as people continue to disable IPv6, ISPs continue not to offer it, applications continue not to support it, and so on, hosting companies will continue fighting over public IPv4 addresses so their IPv4-only customers can reach them. No matter how you feel about NAT on the consumer side, I don't see many people hosting public servers on well-known ports through NAT'd internet connections.

Thanks for listening to my rant. I hope you found it interesting if nothing else. Feel free to reply about how I'm all wrong and how IPv6 is nothing but trouble and all that. After all, I'm just a nutty IP purist with my head where the sun don't shine, apparently. ;-P

(Oh and minor correction, a typical residential IPv6 address space is 64 bits, or 18446744073709551616 addresses, not 64,000 addresses.)
 
  • Like
Reactions: EdwinG

PHolder

Well-known member
Sep 16, 2020
668
2
328
Ontario, Canada
I suspect the biggest reason that IPv6 is not popular with ISPs serving home users (note that I believe it is fairly common on cell networks) may well be because those ISPs don't want home users with easily addressable devices running their own servers. If you're forced to NAT that makes it much more difficult to have a FTP server, a mail server, or incoming torrent connections, to name a few things that ISPs really don't want their "average" customer to be engaging in.
 

Lob

What could possibly go wrong?
Nov 7, 2020
62
10
Actually my ISP at home and the one "away" use CG-NAT to reduce their IPv4 burden and have native IPv6 at the CPE.

Sadly, a lot of the Internet is still fixed on IPv4 which means that IPv4 port forwarding comes at a cost (me paying the ISP). I've moved myself from VPNing to my home network to using TailScale to create a layer in which my devices can communicate.

The fun with IPv4 and NAT is that the router became an accidental firewall; we can probably all remember when the devices just did NAT and did not have SPI functionality - and of course an unsolicited packet hitting the router cannot be routed onwards because the routing table has no idea what to do with it. It's like the router says "WTF" to the inbound traffic and it ends up in limbo.
 

doopy

Member
Jun 7, 2021
24
5
I suspect the biggest reason that IPv6 is not popular with ISPs serving home users (note that I believe it is fairly common on cell networks) may well be because those ISPs don't want home users with easily addressable devices running their own servers. If you're forced to NAT that makes it much more difficult to have a FTP server, a mail server, or incoming torrent connections, to name a few things that ISPs really don't want their "average" customer to be engaging in.

I guess it could be. However, every consumer router supports port forwarding, and it's not that hard to set up. NAT does prevent users from accidentally running a publicly accessible server, but then so does the IPv6 firewall. If you know enough to know how to disable the firewall, you probably know how to use port forwarding. In my experience, though, most ISPs don't actually try to prevent users from hosting servers, even if it's against their TOS. Many games and VoIP applications rely on inbound connections, too, although it's less common today.

The other thing is, If they wanted to prevent users from hosting servers, they could simply filter inbound connections at the ISP router. Most ISPs already block inbound (and outbound) port 25, for example. If they wanted to, they could easily drop unsolicited traffic to all ports and only allow outbound connections. It would be a piece of cake compared to all the traffic shaping and deep packet inspection that some ISPs have already been known to do.

I have a feeling a bigger reason is the cost of IPv6-capable equipment and personnel with IPv6 expertise. That, combined with the chicken-and-egg problem, meaning they'd still have to maintain IPv4 connectivity too, because not every site on the internet supports IPv6. So, understandably, it's a big cost for little immediate benefit.

Actually my ISP at home and the one "away" use CG-NAT to reduce their IPv4 burden and have native IPv6 at the CPE.

Sadly, a lot of the Internet is still fixed on IPv4 which means that IPv4 port forwarding comes at a cost (me paying the ISP). I've moved myself from VPNing to my home network to using TailScale to create a layer in which my devices can communicate.

The fun with IPv4 and NAT is that the router became an accidental firewall; we can probably all remember when the devices just did NAT and did not have SPI functionality - and of course an unsolicited packet hitting the router cannot be routed onwards because the routing table has no idea what to do with it. It's like the router says "WTF" to the inbound traffic and it ends up in limbo.

That's exactly it, an accidental firewall. It's so common now, that many people have forgotten that you can still perform inbound traffic filtering even if you're not doing NAT. Firewalls existed before NAT was even thought of. Steve of all people should know, he's certainly old enough to remember the internet before NAT. Yet, "NAT" has somehow become synonymous with "firewall". I guess it's sort of like how we've forgotten that pay phones used to exist before cell phones, or that fax machines existed before email, or that simple websites didn't used to require JavaScript to display static content, or... you get the idea.

Luckily I've never had to deal with CG-NAT except on my phone's mobile data network (just for IPv4). I didn't know CG-NAT ISPs even gave you the option of paying for port forwarding. I guess they'll make money any way they can, huh. CG-NAT just seems like a massive kludge to me, not just because of the inbound connection problem, but because of sharing a public IP with so many different people. A lot of sites will block or rate-limit you if you download too many files or sign up for too many accounts from the same IP - hopefully you have nice neighbors. :p
 

doopy

Member
Jun 7, 2021
24
5
Actually my ISP at home and the one "away" use CG-NAT to reduce their IPv4 burden and have native IPv6 at the CPE.

Sadly, a lot of the Internet is still fixed on IPv4 which means that IPv4 port forwarding comes at a cost (me paying the ISP). I've moved myself from VPNing to my home network to using TailScale to create a layer in which my devices can communicate.

The fun with IPv4 and NAT is that the router became an accidental firewall; we can probably all remember when the devices just did NAT and did not have SPI functionality - and of course an unsolicited packet hitting the router cannot be routed onwards because the routing table has no idea what to do with it. It's like the router says "WTF" to the inbound traffic and it ends up in limbo.

Actually... so your router gets a private address (like 192.168.0.0/16, 10.0.0.0/8, etc) from the ISP right? So does your router perform another level of NAT on that (using a different address pool), or do each of your devices get a private address in the same subnet as the router's WAN address?
 

doopy

Member
Jun 7, 2021
24
5
Oh and another thing I forgot to mention. On IPv6, even without a firewall, an attacker still pretty much has to know the exact address of a host present on the network. A 64 bit address space is too big to scan by brute force. An attacker could learn a host's address if the host connects to the attacker, of course, but it's not like IPv4 where an attacker can just scan the whole internet. This makes IPv6 act kind of like NAT does, in that if the attacker sends a packet to a random address within your /64 network, the router won't know where to send it. And with IPv6 Privacy Extensions, each host generates a new random address every so often, so it's always changing.
 

Lob

What could possibly go wrong?
Nov 7, 2020
62
10
Actually... so your router gets a private address (like 192.168.0.0/16, 10.0.0.0/8, etc) from the ISP right? So does your router perform another level of NAT on that (using a different address pool), or do each of your devices get a private address in the same subnet as the router's WAN address?
My router gets an IPv6 address and a class D IPv4 address (10.114.241.x, presently) on the WAN port and will give out valid IPv6 addresses and a different class D address on the intranet side of things. I could pay 25% extra on my monthly cost to get a fixed IPv4 public address but I am too tight.
 

doopy

Member
Jun 7, 2021
24
5
My router gets an IPv6 address and a class D IPv4 address (10.114.241.x, presently) on the WAN port and will give out valid IPv6 addresses and a different class D address on the intranet side of things. I could pay 25% extra on my monthly cost to get a fixed IPv4 public address but I am too tight.

Ah okay, so your router does its own NAT after the CG-NAT then it sounds like. I didn't realize you had IPv6 too, in that case I probably wouldn't spend an extra 25% on an IPv4 address either personally.
 

Lob

What could possibly go wrong?
Nov 7, 2020
62
10
Ah okay, so your router does its own NAT after the CG-NAT then it sounds like. I didn't realize you had IPv6 too, in that case I probably wouldn't spend an extra 25% on an IPv4 address either personally.
Also I have my own router behind the provider router. Better wifi, I manage it, etc etc etc.
 

miquelfire

I like red!
Sep 26, 2020
48
4
www.miquelfire.red
Speaking of CG-NAT, I noticed that my Chromebook gives the virtual Android environment a CG-NAT IP. I assume it does the same with the Linux container as well (the way I use Chromebook, I haven't bother to enable that feature after the last powerwash however, so I'm too lazy to check right now)
 

doopy

Member
Jun 7, 2021
24
5
Speaking of CG-NAT, I noticed that my Chromebook gives the virtual Android environment a CG-NAT IP. I assume it does the same with the Linux container as well (the way I use Chromebook, I haven't bother to enable that feature after the last powerwash however, so I'm too lazy to check right now)
By that you mean that the virtual Android environment has an IP different from the host, but in the same subnet as the host? As though perhaps the host is not acting as a NAT router but is instead relaying DHCP to the upstream DHCP server? I'm assuming this is when the chromebook has a 3G/4G/5G connection, not WiFi, correct?

If my understanding is correct, it's possible the Android environment is using a MACVLAN or IPVLAN interface, which a special kind of virtual interface that sits on top of the physical interface, but with a different MAC or IP address. In that case, it works pretty much just like a real interface on the network, so when the Android environment makes a DHCP request, it goes directly out on the network, and the ISP's DHCP server responds. I'm just speculating, but I know MACVLAN and IPVLAN interfaces are commonplace in Linux-based container setups.
 
Last edited:

miquelfire

I like red!
Sep 26, 2020
48
4
www.miquelfire.red
No, the Chromebook is acting as a NAT router to the Android environment. My Chromebook doesn't have a cell modem, just WiFi. My WiFi is 192.168.3.x (192.168.7.x if I hook it up to the IoT network) and Android got a 100.something subnet