[arin-ppml] The role of NAT in IPv6
Gary T. Giesen
ggiesen at akn.ca
Fri Mar 26 17:48:16 EDT 2010
The problem with NAT in v6 land (NAT66) is it introduces the temptation
to overload addresses (like PAT), because that's what people are used
to. In V6, I can't think of a good reason why you'd want to overload
IMHO it's better to get people used to having no NAT at all (since
they're getting used to a new protocol anyways), and as you suggested, a
stateful firewall (no unsolicited connections from outside) and separate
your hosts into proper security zones to ensure a typo in a firewall
rule limits your exposure.
For home users, under this scenario, their experience would be largely
unchanged (your NAT'd subnet merely becomes a routed subnet) but we
would be able to achieve large gains in visibility when troubleshooting
problems without having to deal with the NAT black hole. Firewall rules
become simpler to configure and understand because we're not translating
addresses all over the place.
At some point the people who are using NAT as a security mechanism will
have to take responsibility for their networks and ensure that their
policies are well-designed and implemented. Adding it to v6 (which was
designed largely to supplant it) is an abomination and there's no reason
for it. NAT is not a security mechanism. It was created to as a) an
address transition mechanism (for which there are alternatives in v6)
and b) as an address conservation mechanism (not required in v6).
On Fri, 2010-03-26 at 17:20 -0400, Scott Leibrand wrote:
> On Fri 3/26/2010 1:55 PM, Roger Marquis wrote:
> > It isn't just network security professionals who won't give up NAT,
> > end-user consumers also won't. If anything is clear from the past few
> > year's field trials it's that IPv6 has received a vote of no confidence
> > from consumers. It has received that thumbs down primarily because it
> > lacks address translation.
> Are you talking about NAT66, NAT64, or something else? I personally
> have not seen this backlash against NAT-less IPv6 by end users. There
> have been some complaints about the insecurity of enabling a new
> protocol by accident, but I haven't seen anyone maintaining that NAT66
> is a security requirement for home users. I will agree that a stateful
> firewall needs to be built in to home IPv6 routers to disallow incoming
> IPv6 connections by default, except where allowed by the user (or by
> something like uPNP). That doesn't require NAT66, though, at least in
> the simple home environment.
> > IMO there's no painless way to transition to IPv6 without NAT.
> I assume you're talking about NAT-PT here?
> > Compound that with the security issues created by the lack of NAT
> > and, well, you
> > have where we are today.
> Up 'til now we've mostly been talking about NAT66 (IPv6 inside, IPv6
> outside), rather than the various flavors of NAT-PT (NAT64 or NAT46 for
> example). We also haven't been very specific about whether we're
> talking 1:1 NAT66, or some sort of overloaded 1:many NAT (like we
> usually use in IPv4 NAT).
> Leaving aside NAT-PT and v4-v6 transition for the moment, can you
> clarify how you would like to deploy NAT in an IPv6-only environment?
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> Please contact info at arin.net if you experience any issues.
More information about the ARIN-PPML