I’ve been working lately on a couple of IPv6-related projects. First, there’s a chapter for an upcoming book, and second, there’s the effort to make WFTPD and WFTPD Pro work on IPv6, since it’s enabled by default in Windows Vista and Windows Server 2008 [more on that in a future post].
A big argument to my mind, as an old-school Internet user, for enabling IPv6 is that every one of your hosts becomes a fully-fledged Internet participant, like it used to be with IPv4 back in the ’90s.
What do I mean by that?
I mean that every machine is reachable at its own address on every port that it chooses to open, rather than requiring someone to tinker with a NAT to open port mappings for specific applications.
IPv6 removes the need for a NAT at all.
Wow. To a security professional, that’s a shocking statement. It feels rather like saying that living in a tent removes the need for locks. How on earth do you protect your stuff without a NAT?
The answer is that a NAT was never intended to be a security device – it just happened, somewhat accidentally, that requiring address translation and port mapping to be statically configured created a security barrier.
Unfortunately, NATs also killed a lot of protocols (H.323 for webcams, FTP for file transfers – particularly when secured, IPsec) that quote IP addresses in their traffic.
To some extent this was fixed with ALGs – Application Layer Gateways – but never very satisfactorily (particularly in the case of secured FTP). What would be far better is to have a device that had the blocking advantages of a NAT, but didn’t require IP addresses and ports to be altered in transit.
There’s a name for such a device:
[Only if the firewall is configured by default to list all ports as "closed". An open-by-default firewall is not a firewall, it's a router.]
And a firewall is a far simpler program than a NAT (even if it’s in hardware, it’s the program’s simplicity that matters most). If it matches incoming traffic to ports that are opened, it allows that traffic in. If outgoing traffic occurs on a port that was closed, the firewall usually opens that port for the reverse traffic, so that clients on the inside of the firewall can get a response.
So, when the time comes that your network is required to transition to IPv6, don’t beg for an IPv6 NAT. I actually hope such a device doesn’t actually exist, and that nobody’s stupid enough to develop one. What you should insist on is an IPv6 firewall.
“But what about the problem that the layout of my network inside of the firewall will be revealed?” you might ask.
It won’t, because IPv6 addresses are sparsely allocated.
“How about machines that won’t ever need to be accessed by, or access out to, anything outside my company? What’s the IPv6 equivalent of an RFC 1918 address?”
No problem – there’s a standard for link-local and site-local (Unique Local Unicast, technically) addressing, which will never be routed outside of your site.
Any other reasons you’re clinging to the idea that a NAT is a security device?