IPv6 uptake (was: The Reg does 240/4)

Sat Feb 17 02:10:18 UTC 2024

sronan,

A subnet can come from the ISP (residential/small business), or business is utilizing BGP with their upstream. When V6 is in use, a firewall does not need to perform NAT, just stateful flow inspection and applying the applicable rules based on the zone and/or interface.

Bill,

Depending on where that rule is placed within your ACL, yes that can happen with *ANY* address family.

---

All things aside, I agree with Dan that NAT was never ever designed to be a security tool. It is used because of the scarcity of public address space, and it provides a "defense" depending on how it is implemented, with minimal effort. This video tells the story of NAT and the Cisco PIX, straight from the creators https://youtu.be/GLrfqtf4txw

Ryan Hamel

________________________________
From: NANOG <nanog-bounces+ryan=rkhtech.org at nanog.org> on behalf of sronan at ronan-online.com <sronan at ronan-online.com>
Sent: Friday, February 16, 2024 5:44 PM
To: William Herrin <bill at herrin.us>
Cc: nanog at nanog.org <nanog at nanog.org>
Subject: Re: IPv6 uptake (was: The Reg does 240/4)

Caution: This is an external email and may be malicious. Please take care when clicking links or opening attachments.

Why is your Internal v6 subnet advertised to the Internet?

> On Feb 16, 2024, at 8:08 PM, William Herrin <bill at herrin.us> wrote:
>
> On Fri, Feb 16, 2024 at 3:13 PM Michael Thomas <mike at mtcc.com> wrote:
>> If you know which subnets need to be NAT'd don't you also know which
>> ones shouldn't exposed to incoming connections (or conversely, which
>> should be permitted)? It seems to me that all you're doing is moving
>> around where that knowledge is stored? Ie, DHCP so it can give it
>> private address rather than at the firewall knowing which subnets not to
>> allow access? Yes, DHCP can be easily configured to make everything
>> private, but DHCP for static reachable addresses is pretty handy too.
>
> Hi Mike,
>
> Suppose I have a firewall at 2602:815:6000::1 with an internal network
> of 2602:815:6001::/64. Inside the network on 2602:815:6001::4 I have a
> switch that accepts telnet connections with a user/password of
> admin/admin. On the firewall, I program it to disallow all Internet
> packets to 2602:815:6001::/64 that are not part of an established
> connection.
>
> Someone tries to telnet to 2602:815:6001::4. What happens? Blocked.
>
> Now, I make a mistake on my firewall. I insert a rule intended to
> allow packets outbound from 2602:815:6001::4 but I fat-finger it and
> so it allows them inbound to that address instead. Someone tries to
> telnet to 2602:815:6001::4. What happens? Hacked.
>
> Now suppose I have a firewall at 199.33.225.1 with an internal network
> of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch
> that accepts telnet connections with a user/password of admin/admin.
> On the firewall, I program it to do NAT translation from
> 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which
> also has the effect of disallowing inbound packets to 192.168.55.0/24
> which are not part of an established connection.
>
> Someone tries to telnet to 192.168.55.4. What happens? The packet
> never even reaches my firewall because that IP address doesn't go
> anywhere on the Internet.
>
> Now I make a mistake on my firewall. I insert a rule intended to allow
> packets outbound from 192.168.55.4 but I fat-finger it and so it
> allows them inbound to that address instead. Someone tries to telnet
> to 192.168.55.4. What happens? The packet STILL doesn't reach my
> firewall because that IP address doesn't go anywhere on the Internet.
>
> See the difference? Accessible versus accessible and addressable. Not
> addressable enhances security.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill at herrin.us
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbill.herrin.us%2F&data=05%7C02%7Cryan%40rkhtech.org%7C5672986956c34e345fd208dc2f5a571c%7C81c24bb4f9ec4739ba4d25c42594d996%7C0%7C0%7C638437312255883842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=iuKWxWts%2B9buTCz318C7hz6DbuWSST%2FKPZAWbbhSj8Q%3D&reserved=0<https://bill.herrin.us/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20240217/6e999286/attachment.html>