• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6 on home networks and NAT

Started by matthewh, January 04, 2014, 10:08:44 AM

Previous topic - Next topic


Trying to understand logic here. Seems like he is saying that NAT will still be used on IPv6 connections. I can see a firewall in some cases but not NAT.



The only reason I would remember that I saw that page is to remind myself how clueless some people can be.

Nat is not designed for security, it's a bandaid because we're short ipv4 addresses.

You do not need nat with ipv6, that is one of the benefits; ipv6 provides end to end connections.


Quote from: matthewh on January 04, 2014, 10:08:44 AMTrying to understand logic here.
I promise you, it won't take you long to understand all of the logic in that posting. All you need to know in order to understand all of the logic in that posting is the following: There is no logic in that posting to begin with.

Quote from: matthewh on January 04, 2014, 10:08:44 AMSeems like he is saying that NAT will still be used on IPv6 connections.
During a transition period you may see many different kind of NAT solutions being used. The longer time it takes for ISPs to get their act together and deploy native IPv6 to everybody, the more different types of NAT solutions we are likely going to see. However the one type of NAT there should be no need for is one translating from IPv6 to IPv6.

Quote from: matthewh on January 04, 2014, 10:08:44 AMI can see a firewall in some cases but not NAT.
Availability of well designed firewalls for IPv6 would certainly be a plus, as long as ISPs don't force a firewall upon their customers. The three key features one need to understand to understand the difference between NAT and a firewall are: packet filtering, stateful inspection, address translation.

A NAT by definition does address translation. The sort of address translation needed to work around IPv4 shortage is impossible to do without also having stateful inspection. Moreover since some packets cannot have translation applied without the state, then if such packets arrive without matching state, they have to be filtered. So a typical NAT will have a little bit of all three of them. But that is by accident, not by design.

A proper firewall for IPv6 will not have any address translation, but it will still have filtering and possibly stateful inspection. Eliminating the address translation is not bad for security. I know of a few reasons why address translation will reduce security a bit. Without address translation, you no longer have those packets, which would be impossible to forward without state. In other words, through configuration you can allow those packets through, which you want to, state or not. You can choose that there are certain packets for which the decision depends on state, but that is a configuration choice, and not an inherent requirement from the design.

If your goal is to block certain TCP ports against incoming connection because there might be a vulnerable service on that port, you really just need a stateless filter blocking the SYN packets. If you want to apply filters to UDP based services or to protect against vulnerabilities in the TCP stack itself, you might need stateful inspection. But those packets that are allowed through the firewall are then forwarded without modifications (except from decrementing the hop limit).

Quote from: matthewh on January 04, 2014, 10:08:44 AMhttp://tinyurl.com/ldqcxln
Let me just explain the most significant mistakes in that posting. You might notice, that once you ignore all the mistaken quotes, there is practically nothing left.

QuoteAs I've stated before, address exhaustion IS NOT AN ISSUE ON AN INTERNAL NETWORK
This is the first mistake. He does not understand how the Internet was designed to operate. And he is assuming NAT is part of the design of the Internet, which it is not.

Quoteunless you have over 65,536 separate devices to connect to your home network.
No idea where he pulled that number from. It is incorrect.

QuoteThe reason we use NAT IS for security
Totally wrong. Besides if you actually start considering the potential security vulnerabilities that NAT introduces, and how to avoid them, you end up having to use IPv6 because you can design a more secure NAT, if you use IPv6. But if you end up using IPv6 on both sides of the NAT, you can do even better by replacing the NAT with a firewall without NAT. You may hear some bullshit about privacy, but in reality a proper implementation of privacy address with IPv6 gives better privacy than a NAT.

QuoteNAT only provides one level of security.  Most ISP's equipment offers NAT Type 2
Now he starts listing some types of NAT, which to the best of my knowledge are not following any standardized conventions. The actual descriptions of those types of NAT I would qualify as technobabble.

QuoteIPv6...  will NOT be utilized by ANY home router, as it is 100% unneccessary in a home network.
Unless you want to communicate with the rest of the world of course.

If you want all home networks in the world to have a real internet connection, you need IPv6. There is not enough addresses any other way. Using IPv4 on the LAN and IPv6 on the backbone can only work through some sort of NAT. That is entirely possible to do though. I have designed a sort of NAT solution to do exactly that, and it does have siginficant advantages compared to other sorts of NAT. However it is only applicable for a transitioning period. It is useful while there is an IPv6 backbone, you need to connect to, and some equipment on or around the LAN with insufficient IPv6 support.

QuoteThe internal DHCP server (LAN) side is IPv4 ONLY.
Because DHCP is for IPv4! For IPv6 you use SLAAC and/or DHCPv6 instead. And there are more systems with SLAAC support than there are systems with DHCPv6 support.

Quote( - and - which are reserved for PRIVATE networks
That's not even the correct ranges. The correct ranges are:
  • -
  • - (special rules apply)
  • -
  • -

QuoteNAT will continue to be used even under IPv6.
I am aware of no standards for doing NAT with IPv6. The lack of standards doesn't mean it isn't possible to do it, but I am also aware of no actual implementations of NAT for IPv6. Anybody who wants to present a claim as that one should be asked to provide evidence they have actually configured an IPv6 network with NAT. That guy has not provided any evidence who knows anything about IPv6.

NAT has harmed the Internet in many ways. But perhaps the worst harm NAT has done to the Internet is to create clueless people like the guy who wrote that posting. If NAT had never been invented, we could all have been running IPv6 years ago.