Monthly Archives: February 2015

What worries me about the lack of NAT in IPv6

I know that NATv6 does exist, and since NAT is transparent – in that no devices handling the traffic after the NAT can distinguish between NAT and non NAT traffic – anyone who wants to implement it can do so. On the other hand, many of those pushing for IPv6 hold that there is no need for NAT in IPv6, all devices can have a globally routed IPv6 address, and a stateful firewall will solve the security problems.

The first thing to note is that NAT is a Stateful Firewall. It may be a stateful firewall with a limited set of available functions, but by default, it is a very secure Stateful Firewall. As the number of IPv4 addresses allocated to each consumer internet connection is usually just one, companies selling home networking equipment were forced to put a Stateful Firewall in every consumer router. The security impact of this is such that a large number of residential internet connections have very strong protection against unsolicited internet traffic.

With IPv6 giving global addresses to every device, I can’t imagine that every low quality home router will include a Stateful Firewall for the IPv6 stack (currently even some of the high end routers don’t support a Stateful Firewall on IPv6). CPU, Memory, Programming, Testing, and Documentation time is saved. This would substantially limits the protection provided to consumer computers.

Address privacy methods, such as the temporary addresses used by Microsoft Windows, Apple OS X, and others does not solve the problem, because attackers could harvest IP Addresses from such locations as Peer to Peer software distribution (such as the Blizzard patch downloader), log files, video chat, or network sniffing. and at that point it is up to the OS’s firewall in many cases to decide whether to handle the traffic or not (and users can often figure out how to turn off their software firewall, and are reccomended to by some network and software debugging instructions).

As long as the router did have a stateful firewall, the actual NAT is less important, but could still be useful. The router will almost always have a large number of IPv6 addresses that it can use for NAT, meaning it is free to assign a random IPv6 address to every single outgoing TCP or UDP stream (this would take no more effort than IPv4 NAT), although it could confuse some servers that track the user by IP Address. There would be no concern that a port requested by UPnP will already be in use, because it could be opened on a new IPv6 address.

With or without NAT, I feel that having a strict Stateful Firewall on home routers is important for both IPv4 and IPv6. They should by default provide the same protection against unsolicited packets as an IPv4 router running NAT. I worry however, that wihout the necessity of NAT, companies that build the routers are less likely to add stateful firewalls into the IPv6 stack, and that’s something that could hurt internet security.