We should first consider what NAT is, what it was designed for, and what it is not. NAT was created as a fix for the IPv4 address exhaustion. It allowed many computers to share a single IP address through state tables in a NAT firewall. It was NEVER designed for the security of the internal nodes. What it provided was security through obscurity. An attacker didn't know all the internal addresses of a target network. NAT is also not a stateful firewall. While this might seem obvious, I mention because some of the stuff I read from people assume this is going away. This is absolutely not the case, while NAT is discouraged in IPv6 best practices, a stateful firewall is still very much essential. The only difference is that hosts on the inside of it will have a publicly routable IP address. This means attackers will not be able to initiate a connection with them if a stateful firewall is in place and has no other applicable rules.
"Well isn't it better if the attacker doesn't know the IP address of all my clients?"
The answer is that in all likelihood he won't. First let us consider what the attacker will know about you. For the most part IPv6 addressing will be hierarchal. This means that your ISP will be assigned a chunk of addresses that is probably on the order of billions of times greater then the entire IPv4 Internet is now. The idea with hierarchal routing is that the Internet backbone routing tables will be simpler. By using a who is lookup the attacker will be able to tell what prefixes were assigned to your company. Bad news because now he can start scanning them, right? Wrong, remember, this isn't IPv4. The size of the address block that your organization is assigned will make scanning hosts practically impossible and even if you were assigned an address block that was small enough to be effectively scanned you still should have a stateful firewall between you and the attacker.
"But many of my clients still initiate connections to the Internet..."
A big concern is that the anonymity of the hosts on the inside of the firewall could be compromised. Particularly, that websites could track hosts browsing to them because their IP address will never change. This could happen if the address configuration method on the internal network allows it to. In IPv4 there were basically two methods for configuration of an IP address. The administrator can configure each host manually or use DHCP. Both of these are still available in IPv6 but a new feature called stateless address autoconfiguration (SLAAC) allows a host to automatically configure its IPv6 address based on whatever network prefix a router is advertising. SLAAC and DHCPv6 can be configured to have short leases on the address so that they expire quickly. With the huge network space that IPv6 provides selecting a new address should not be a problem. The lower order 64 bits of the 128 bit IPv6 address are called the Interface ID. It can be based on the devices MAC address or it can be generated randomly. For privacy concerns it obviously make sense to do this randomly.
In my next post we will continue to explore more of the IPv6 security considerations given the absence of NAT and why a world without NAT is a better place.
No comments:
Post a Comment