• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

IPv6 kills NAT?

R

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,217
I've been reading up on IPv6, and it seems they got rid of NAT?!

Now I realize NAT is not meant for security, but it does act as a very simple layer of security that is very easy to setup. Ex: most users can buy a NAT router, install it and be secure from outside connections. You don't need to worry about keeping a software firewall on each machine or making sure everything is patched.

Also, most ISPs only give you 1 or 2 IPs, so without NAT, you'll only have a few machines online. People like us may have 10, 20 maybe 50 machines at once which require internet access. NAT is great for this as they are still in their own network and separated from the internet.

Another thing, it's MUCH faster to connect to a local IP than an internet one. If each computer is to have an ISP assigned IP that means when you connect to a PC on your network you will be going through your ISP then back.

I guess you can still use IPv4 locally but would there be other options? Or am I understanding this wrong? If anything my biggest concern would be the fact that the number of systems you can have at home would now be governed by how many IPs your ISP is willing to assign you. Sure there will be tons of IPs to go around but it still wont stop them from limiting you or charging extra. There's plenty of bandwidth to go around yet we still see ridiculous caps, so they'll do the same here with IPs.
 
Last edited:
I would love to get a book that is easy to understand on IPv6. If it were in a video format, even better. I learn best by video vs reading.
 
Be warned, this is based on my limited knowledge on the subject. Names and terms WILL be wrong, but the concepts will be largely unmolested.
Red Squirrel said:
Also, most ISPs only give you 1 or 2 IPs, so without NAT, you'll only have a few machines online. People like us may have 10, 20 maybe 50 machines at once which require internet access. NAT is great for this as they are still in their own network and separated from the internet.
Click to expand...
In IPv6 land, ISPs will assign a "network", not an IP.

To envision this, imagine your IPv4 ISP saying "You have the address range 66.76.12.0/24".
Another thing, it's MUCH faster to connect to a local IP than an internet one. If each computer is to have an ISP assigned IP that means when you connect to a PC on your network you will be going through your ISP then back.
Click to expand...
Nope, just to the router, as the subnet assignment will be handled by the local router.
Now I realize NAT is not meant for security, but it does act as a very simple layer of security that is very easy to setup. Ex: most users can buy a NAT router, install it and be secure from outside connections. You don't need to worry about keeping a software firewall on each machine or making sure everything is patched.
Click to expand...
I'll address this too; most home routers will come with external firewalls turned on by default; so no incoming connections are passed. However, internal systems will still be able to route their traffic out.

More than that, however, internal systems will likely be able to pop open ports ( look at upnp today ) on a per-need basis.
 
Last edited:
So if they assign you a block, is it the router's job to assign those IPs to the internal computers? Does it do sort of a 1:1 NAT type translation or how does that work?
 
/usr/home said:
So if they assign you a block, is it the router's job to assign those IPs to the internal computers? Does it do sort of a 1:1 NAT type translation or how does that work?
Click to expand...
Same as IPv4. You just need a switch as no routing will be taking place on your end (unless you desperately want it for whatever reason).
 
/usr/home said:
So if they assign you a block, is it the router's job to assign those IPs to the internal computers? Does it do sort of a 1:1 NAT type translation or how does that work?
Click to expand...
You can assign addresses via dhcp, but ipv6 supports what's called "stateless address assignment", wherein the client picks it's own address from the subnet advertised by the router. I imagine this will probably be the norm for home network as it's far simpler to make a router without dhcp than with it.

As far as NAT, no. It's simply a router, and behaves in much the same way an ipv4 router behaves.

For home scenarios, I imagine the router will be set to default deny any traffic coming in from the public interface, excepting traffic for registered applications ( workstations themselves will request ports from the router, much as upnp does today ).
 
So how will routers functions look like? If the ISP is assigning ips it's doing the routing as well, correct? When would you use a router on ipv6? Sorry I'm having trouble grasping this for some reason... I suppose it's like subnet ting. Once it clicks it just makes sense.
 
It will never kill NAT for the simple fact that nobody is going to pay their ISP for additional IP addresses when 1 IP will serve all of their needs. (and you know for a 100% fact ISP's will be charging for each additional IP because they are money hungry bastards)
 
I'm starting to think you'd basically have DHCP (or the new method) assigning IPs on the inside interface. Even though there's no NAT there would still be an outside and inside interface. So it's kinda like when you rent a server from a data center they give you a range of IPs but you can route them yourself the way you want (Ex: VMs, or if you are colocating, a switch with multiple PCs etc).

Though the problem I still have with that is you will be limited in how many networked computers you have without doing anything drastic as I'm sure ISPs will purposely only give like 8 IPs or something then charge for more. Based on what I've been reading though there is quite a lot of uproar on the lack of NAT, so I have a feeling it may just get added in later.

I think NAT serves more than saving IPs, it also acts as an isolation method so you can have full control of over what's behind it. Even experts dub it as something complicated. Is port forwarding and external/internal IP addressing that hard to understand? I know that if I want to run a server I need to forward the port to the local IP, but advertise the external IP to others. To me it's just common sense, but some technical documents I read were talking about it like it's a huge complicated thing to do.
 
/usr/home said:
So how will routers functions look like? If the ISP is assigning ips it's doing the routing as well, correct? When would you use a router on ipv6? Sorry I'm having trouble grasping this for some reason... I suppose it's like subnet ting. Once it clicks it just makes sense.
Click to expand...
No, the ISPs will be assigning a subnet, with the router being local.

As to how many IPs each subnet assigned will have available...this is where my knowledge starts to fail. I want to say I read somewhere that they were going to assign the equivalent of the entire IPv4 address space to each household? I could be wrong, but as there are 2^128 available IPv6 addresses, it's not like we really have to worry about a shortage.
 
Red Squirrel said:
I'm starting to think you'd basically have DHCP (or the new method) assigning IPs on the inside interface. Even though there's no NAT there would still be an outside and inside interface. So it's kinda like when you rent a server from a data center they give you a range of IPs but you can route them yourself the way you want (Ex: VMs, or if you are colocating, a switch with multiple PCs etc).
Click to expand...
You're getting the idea.
Though the problem I still have with that is you will be limited in how many networked computers you have without doing anything drastic as I'm sure ISPs will purposely only give like 8 IPs or something then charge for more. Based on what I've been reading though there is quite a lot of uproar on the lack of NAT, so I have a feeling it may just get added in later.
Click to expand...
I doubt it, for reasons stated later.
I think NAT serves more than saving IPs, it also acts as an isolation method so you can have full control of over what's behind it. Even experts dub it as something complicated. Is port forwarding and external/internal IP addressing that hard to understand? I know that if I want to run a server I need to forward the port to the local IP, but advertise the external IP to others. To me it's just common sense, but some technical documents I read were talking about it like it's a huge complicated thing to do.
Click to expand...
Consumer routers will simply become a router/firewall device. NAT itself is a hack; if everything is publicly addressable, it dramatically simplifies the process.
 
/usr/home said:
So if they assign you a block, is it the router's job to assign those IPs to the internal computers? Does it do sort of a 1:1 NAT type translation or how does that work?
Click to expand...

Address are assigned via DHCPv6 or SLAAC.

As far as address allocation goes it's up to the individual provider what size block they want to offer. IIRC it's recommended that businesses receive a /48 and home users get a /48-/56, anything smaller then a /64 and it will break SLAAC.

Subnetting still works on v6 so you're able to take a block assigned to you and break it down further like you currently can.

For people wanting to play with IPv6 Hurricane Electric offers v6 tunnels you can setup if you have a router that supports it (Cisco, Vyatta, etc).
 
IPv6 makes me feel retarded, especially since I just passed my CCNA :p .

So in NAT terms, IPv6 will almost be like a NAT pool, but the pool will be large enough to have one IP for each internal host. So you still assign your outside interface say the first IP in the pool and the inside hosts will "grab" an IPv6 Global address, correct? So do you tell the router what subnet is assigned to you on the WAN interface and then it will distribute it out via DHCP internally or what?
 
Depends on the design - most likely your outside interface will be on a /64 p2p link and then PREFIX::1/48 will be assigned to your inside interface. It may seem similar to a NAT setup on v4 but the difference is it doesn't do any address translation.
 
And the reason it doesn't do translation is because the ISP has routes for your prefix set to you as opposed to how we usually only have one ipv4 address routed to us currently, correct?
 
Even if IPv6 is designed to not need NAT it doesnt necessary mean that it will kill NAT.

As a starter most ISPs will give you networks at /48 or /56 to the endcustomers (or even /64).

Its uncommon to use a network (even linknets) with higher prefix than /64.

Which gives that even if a IPv6 address is 128bit (compared to 32bit as with IPv4) many of these 128bits are already reserved for other use.

There are basically two major issues with IPv6 where NAT is still needed:

1) When you have or need to reach IPv4 hosts (and your IPv4 hosts needs to reach IPv6 hosts).

and

2) Privacy issues.

Looking at 1 above a workaround can be to use dualstacking, however not all hosts supports dualstacking so you still need to setup more or less static NAT to go IPv4 <-> IPv6 (or IPv6 <-> IPv4).

There exists other workarounds like toredo and such but going for a 1:1 NAT will in most cases be the best performance option (for example in your internal network - no need to install toredo software on the hosts who doesnt know IPv6).

Now for the 2 above...

Privacy issues in terms of who did what (or rather which box did what). The ISP knows who are using this particular /48 or /56 range - but the rest of the world hopefully doesnt (more than the nickname you use and such).

In the begining the last 48 bits was the mac address of the box. Soon the IPv6 people find out this wasnt one of their brightest moments so methods to randomize the last 48 bits were invented.

However this randomization only occurs when the box boots up so during the box uptime you can still from the outside track which box did which things on the Internet (ad-tracking someone? ;-)

So there is still a need to "hide" several clients behind a single ip-address even when it comes to IPv6 (however the reasons for using NAT might have slightly changed, or rather the reason for using NAT due to lack of public ip addresses is removed when you use IPv6 but the other reasons still remains).
 
Starting to make sense now. But then how does each internal client get a global IP? Is it random assigned by the router through DHCP or how is that handled on the inside?
 
/usr/home said:
Starting to make sense now. But then how does each internal client get a global IP? Is it random assigned by the router through DHCP or how is that handled on the inside?
Click to expand...
IPv6 DHCP or the stateless autoconfiguration, and it's assigned from the range the ISP assigned you.
 
Red Squirrel said:
Now I realize NAT is not meant for security, but it does act as a very simple layer of security that is very easy to setup. Ex: most users can buy a NAT router, install it and be secure from outside connections
Click to expand...
Wrong. Wrong. Wrong. I can't stand it.

NAT doesn't prevent connections to internal hosts from the outside. A packet filter does that. The fact that virtually every NAT router has a packet filter inside doesn't mean that NAT has anything to do with security.
 
XOR != OR said:
IPv6 DHCP or the stateless autoconfiguration, and it's assigned from the range the ISP assigned you.
Click to expand...

And that stateless autoconf magic happens thanks to Neighbour Discovery protocol:

http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm

http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

http://packetlife.net/blog/2008/aug/28/ipv6-neighbor-discovery/

Which, as mentioned on the wikipedia site, also has its vulnerabilities so it isnt just "plug and play" (well functional wise its PnP but not security wise where you need, just like with DHCP snooping (to avoid rouge DHCP servers and other DHCP related junk), manually configure which interfaces should be trusted and so on).
 
TCM said:
Wrong. Wrong. Wrong. I can't stand it.

NAT doesn't prevent connections to internal hosts from the outside. A packet filter does that. The fact that virtually every NAT router has a packet filter inside doesn't mean that NAT has anything to do with security.
Click to expand...

if there is no DMZ set up, it does EXACTLY that...

if the NAT table doesn't have anything in it, and it doesn't KNOW where to send traffic from the outside, then it is effectively preventing connections... kind of like security through obscurity... how is it supposed to translate when it doesn't know what to translate to?



this thread is full of people that show me that ipv6 is a long way from adoption... if even the vast majority of IT professionals (and i'd like to think most here on [H] are the upper tier of this industry) have no idea how it's to be implemented, change is a long way off...

i'm also surprised somebody with a CCNA is having such a hard time grasping it...

i get that our minds are wired to think of things w/ NATs and private IPs... but if you understand the fundamentals of routing it shouldn't be that hard to figure out....
 
TCM said:
Wrong. Wrong. Wrong. I can't stand it.

NAT doesn't prevent connections to internal hosts from the outside. A packet filter does that. The fact that virtually every NAT router has a packet filter inside doesn't mean that NAT has anything to do with security.
Click to expand...

Given that it is a router you have and not a bridge and so on...

Yes technically speaking NAT is only to exchange the srcip and/or dstip into some other value (hence Network Address Translation).

On top of NAT you have also PAT (which most times are included within the functionally in a NAT router) which acts on srcport and/or dstport. One could argue that NAT is L3 and PAT is L4.

And while you have NAT you most likely have SPI (Stateful Packet Inspection) to track who started the session (in which direction)... and while you have this you also end up with plain packet filtering (or ACL - Access Control List).

And if its a more modern box you will also have NGFW features in it including detecting the contents of the sessions (application identification), ability to decrypt SSH/SSL (MITM/SSL-termination), url-categorizations and so forth (but thats a bit off-topic ;-)

So yes if you are really unlucky you end up having a NAT router that can ONLY do NAT (and not PAT, SPI or ACL)... but hopefully these boxes are not too common out there...
 
goodcooper said:
if there is no DMZ set up, it does EXACTLY that...

if the NAT table doesn't have anything in it, and it doesn't KNOW where to send traffic from the outside, then it is effectively preventing connections... kind of like security through obscurity... how is it supposed to translate when it doesn't know what to translate to?



this thread is full of people that show me that ipv6 is a long way from adoption... if even the vast majority of IT professionals (and i'd like to think most here on [H] are the upper tier of this industry) have no idea how it's to be implemented, change is a long way off...

i'm also surprised somebody with a CCNA is having such a hard time grasping it...

i get that our minds are wired to think of things w/ NATs and private IPs... but if you understand the fundamentals of routing it shouldn't be that hard to figure out....
Click to expand...

In my defense, you only barely touch on IPv6 in CCNA. Hence why I posted questions in here, to learn about it. You have to learn sometime and somewhere.
 
/usr/home said:
In my defense, you only barely touch on IPv6 in CCNA. Hence why I posted questions in here, to learn about it. You have to learn sometime and somewhere.
Click to expand...
I had the same issue. What helped me get my head around it ( and I am far from an expert ) is to think of the edge devices as routers. End of story, that's it.

IPv6 gets pretty simple when you get in that mindset.
 
XOR != OR said:
I had the same issue. What helped me get my head around it ( and I am far from an expert ) is to think of the edge devices as routers. End of story, that's it.

IPv6 gets pretty simple when you get in that mindset.
Click to expand...

What do you mean by edge device? You edge device would be a router, no?
 
/usr/home said:
What do you mean by edge device? You edge device would be a router, no?
Click to expand...
Er...kinda. Keeping with the theme of "consumer grade devices", most home "routers" are more "firewall appliances" than true routers. True routers..."route"...traffic between networks, whereas home "routers" translate between networks.

A subtle distinction, and probably not all that important to current discussions, but I had it drilled into me by a particularly avid networking specialist years ago, and it's hard for me to think otherwise now :D.
 
I've always been stumped about how IPv6 would work for home users as well, i think some of the posts in this thread have cleared that up. Basically when IPv6 is rolled out to like me i can set my cisco ASA to transparent mode and be done with it? no need to route really.
 
You will always need to route. Everyone is going to get more IP's than the whole of the ipv4 address space. (bit of a waste but it is what it is)

Routers that an ISP gives you will be set to deny inbound connections and most likely DHCPv6 on the internal nic, with a /64 assigned much like NAT does now just it's a real routable address.

Just let NAT die and love being able to connect to everything.
 
In regards to this topic, IPv6 brings networking back to where it was originally intended to be before NAT. NAT was implemented to address the issue of a rapidly depleting pool of addresses. It's actually ironic that NAT has become so ubiquitous that some people cannot imagine a working Internet without it, like it's "necessary" for the INternet to work when it's really an add-on.

NAT is an "add-on" to a router and arguably firewall features are also add-ons. With pure IPv6 you will have a firewall/router and that's it. Your IPv6 addresses will be publicly routable (unlike a NAT'ed private IP). If the firewall is disabled then all devices on your network will be fully exposed to the Internet just as if they were plugged into the modem/router directly. Having proper firewall rules will be what provides security.

Most midrange routers/firewalls already provide something similar anyways. On a Cisco or Sonicwall, etc. you already need to configure firewall and NAT rules. With IPv6 it's only firewall rules.

Riley
 
Skud said:
In regards to this topic, IPv6 brings networking back to where it was originally intended to be before NAT. NAT was implemented to address the issue of a rapidly depleting pool of addresses. It's actually ironic that NAT has become so ubiquitous that some people cannot imagine a working Internet without it, like it's "necessary" for the INternet to work when it's really an add-on.

NAT is an "add-on" to a router and arguably firewall features are also add-ons. With pure IPv6 you will have a firewall/router and that's it. Your IPv6 addresses will be publicly routable (unlike a NAT'ed private IP). If the firewall is disabled then all devices on your network will be fully exposed to the Internet just as if they were plugged into the modem/router directly. Having proper firewall rules will be what provides security.

Most midrange routers/firewalls already provide something similar anyways. On a Cisco or Sonicwall, etc. you already need to configure firewall and NAT rules. With IPv6 it's only firewall rules.

Riley
Click to expand...

Ever heard of RFC1918 ranges? :p

Point of NAT is also when two parties use the same network internally.
 
Does ipv6 actually kill NAT? I thought it just made is so that most people don't need it. Can't you still setup NAT with ipv6 if you want?

This doesn't seem like it's even up to the ipv6 spec, but upto the actual router manufacturers.
 
/usr/home said:
In my defense, you only barely touch on IPv6 in CCNA. Hence why I posted questions in here, to learn about it. You have to learn sometime and somewhere.
Click to expand...

to be honest, i don't remember getting anything on ipv6 in ccna either... but i do remember getting learning routing and VLSM

i guess the difference is i was taught it from more of a "theory" perspective than from a "real world" or "take the test and pass it" perspective... i prefer it that way but understand different people learn differently...
 
serpretetsky said:
Does ipv6 actually kill NAT? I thought it just made is so that most people don't need it. Can't you still setup NAT with ipv6 if you want?

This doesn't seem like it's even up to the ipv6 spec, but upto the actual router manufacturers.
Click to expand...


I'm sure you can still NAT with IPv6, my assumption is that quite a few companies, users, etc will. The basics are that there are really no requirements whatsoever to NAT in general if the device is externally addressable. That said NAT isn't there for security, it's just a mechanism for sharing limited address spaces which have come about with IPv4.

For the foreseeable future, I'm sure most companies will have an edge based routing device taking their IPv6 addresses and NATing them into IPv4 address internally, especially for small businesses that don't care or have a want to deal with IPv6 until they are absolutely forced to.
 
Blue Fox said:
IPv6 does reserve a large block for private use only: fc00::/7
Click to expand...

This is a great thing.

I forsee the problem more so being that many devices on many networks will only run on IPv4 and not include IPv6 support. Most admins will have to either setup and support dual stacking or will simply choose to NAT an IPv6 public address through a firewall and maintain an IPv4 internal network for simplicity and compatibility.

It'll be interesting to see how this all plays out in the long run when the time comes to finally move everyone to IPv6 and when more admins become comfortable with the fact that NATing doesn't equate to "security" in any real tangible way.

On a side note, I found it funny that US government couldn't make the switch to IPv6 even when mandated. I'd have to assume a good portion of the trouble was due to dual stacking and having to support old crappy government equipment.

http://www.zdnet.com/us-government-gets-an-f-for-ipv6-internet-make-over-7000005055/
 
I'm really starting to understand this more now. My main concern is still whether ISPs will truely follow the /64 per user rule or not. The idea of true routing without NAT is kinda growing on me too. I kinda like the idea of letting the firewall do the work without worrying about port forwarding. Want to access a specific server in my house from work, just need to let my work IP access that server's IP. It's almost like having an extension of the internet in my house. :D
 
You must log in or register to reply here.
Back
Top