This is my first post so hello everyone. I've been meaning to make an account here ever since the forums were first announced but never got around to it. I was listening to #820 today and Steve brought up one of my biggest pet peeves, so I was like, "that's it, I'm signing up and writing a pedantic rage post about this", haha. I'm sure most people will agree with Steve on this, but most importantly, I hope someone finds it informative nonetheless.
#820 transcript, pp. 10
The nutty IP purists, with their heads well positioned far up their you-know-whats, where the sun don't shine, have always decried the use of NAT. They say that the Internet was designed for every device to be directly addressable and accessible to every other. Well, thank god that never happened. Just because every IPv6 user will be receiving their own personal 64,000 IPv6 address space, don't ever consider directly mapping those external IPs through to your devices on the inside. [...] The last thing we need is to step out from behind the protection of those billions of little hardware firewalls that everyone is using today.
This paragraph implies a few different things:
- That NAT is a firewall, a firewall is NAT, and without NAT you have no firewall.
- That in IPv6 is insecure because there is no NAT and therefore no firewall and therefore everything is exposed.
- That publicly addressable (basically) means publicly accessible.
- That some kind of mapping between internal and external IPv6 addresses would make IPv6 more secure.
First and foremost, you can still have a firewall on an IPv6 network without using any kind of NAT. You may be surprised to learn that nearly every IPv6-capable router ships with an IPv6 firewall enabled by default. Even the cheap little $30 Linksys 802.11n 10/100mbps router I bought for a project a few months ago had an IPv6 firewall enabled by default. The same is true of aftermarket firmwares like dd-wrt and OpenWRT, too. (There probably are some out there that had the firewall off by default, I wouldn't be surprised, but if you know of any I'd be interested in hearing which ones.)
How is this possible, you might ask?
SPI. Stateful packet inspection. The router watches for outbound connections, and permits returning traffic from the destination address and port back to the source address and port. However, it will drop unsolicited packets and inbound connections, even though they are addressed to an internal host's global IPv6 address. Unlike IPv4 NAT, the router *could* forward unsolicited packets into the internal LAN, since every host has a global IPv6 address. However, it simply *chooses* not to, as a matter of security policy. The router simply drops the packet, and the sender never hears back (i.e. the port is "stealth"). It's very similar to the way a software firewall protects an individual machine from other hosts on the LAN; in this case it works the same for IPv6 and IPv4.
SPI firewalls have been around at least as long as NAT, probably longer. In the early days, when your family had one computer and it was plugged right into the modem, you may have had an SPI firewall, but chances are you had to buy it, or at least enable it, on your own. The threats weren't as well understood back then. Consumers, and therefore vendors too, favored compatability over security, and shipped firewalls disabled by default (or not at all). After all, you wouldn't want your early-2000's peer-to-peer filesharing programs to stop working because of some stupid "outbound-connections-only" firewall, would you?
Then came NAT, thanks to IPv4 address exhaustion. The only difference is that NAT itself behaves much like a firewall that cannot be turned off. This of course was by accident, as NAT was never really designed to be a security feature. Its only purpose was to more effciently utilize public IPv4 address space. So it's no surprise that NAT has brought about its own "security" vulnerabilities. UPnP, Slipstreaming, and so on. I admit, though, the accidental security provided by NAT in practice was kind of a blessing, in a "doing the right thing for the wrong reasons" kind of way.
That being said, times have changed. Today, firewalls are enabled by default, and they're just as effective as NAT, although many people are still afraid of IPv6 for whatever reason. You might be wondering... well then how does IPv6 make the situation any better than it is/was with NAT? If the SPI firewall is blocking incoming connections, then we still have to put up with port forwarding, port holepunching, etc.
Arguably it doesn't, except maybe for hosting companies and perhaps some corporate networks, where you're hosting a large number of servers all on port 443, for example. The thing is, as long as people continue to disable IPv6, ISPs continue not to offer it, applications continue not to support it, and so on, hosting companies will continue fighting over public IPv4 addresses so their IPv4-only customers can reach them. No matter how you feel about NAT on the consumer side, I don't see many people hosting public servers on well-known ports through NAT'd internet connections.
Thanks for listening to my rant. I hope you found it interesting if nothing else. Feel free to reply about how I'm all wrong and how IPv6 is nothing but trouble and all that. After all, I'm just a nutty IP purist with my head where the sun don't shine, apparently. ;-P
(Oh and minor correction, a typical residential IPv6 address space is 64 bits, or 18446744073709551616 addresses, not 64,000 addresses.)