← Back to context

Comment by Sohcahtoa82

11 hours ago

This is going to depend on the router and on IP distribution.

My ISP does not give me an IPv6 address, only a single IPv6 which all my network devices have to NAT through.

NAT is not intended to be a security feature, for sure, but it creates security as a side effect. If I start up a web server on one of my devices, I know that it is unreachable from the Internet unless I go out of my way to set a port forward on my router.

But...if my ISP decides to start handing out IPv6, that can change. If each of my devices gets an Internet routable IPv6 address, at that point, that security-as-a-side-effect is not guaranteed unless my router has a default-deny firewall. I would hope that any routers would ship with that.

But if my ISP still gives me only a single IPv6 address and I'm still needing to use NAT, then I'm guaranteed to still effectively have a "default deny" inbound firewall policy.

18 comments

Sohcahtoa82

Reply
tadfisher  10 hours ago

> If each of my devices gets an Internet routable IPv6 address, at that point, that security-as-a-side-effect is not guaranteed unless my router has a default-deny firewall. I would hope that any routers would ship with that.

They usually do, and they also ship with the most wonderful technology ever specified within a 67 MB compressed archive [0]: UPnP! Now your attacker's job is to convince you to initiate an outgoing connection, which automatically forwards an incoming port to your device behind the NAT and bypassing the router's default-deny firewall! Nothing has ever gone wrong with a zero-configuration port-forwarding protocol from the 1990s rammed through the ISO!

[0]: https://openconnectivity.org/developer/specifications/upnp-r...

  • Sohcahtoa82  6 hours ago

    That's an entirely different attack scenario. To succeed at that attack, my computer would already need to be running malware. At that point, they've already won.

Gigachad  10 hours ago

Every router I’ve ever used has blocked incoming connections on v6 exactly the same as on v4. Really the only difference is you can have multiple devices on your network allowed to receive on the same port if you want.

  • freetime2  7 hours ago

    > Every router I’ve ever used has blocked incoming connections on v6 exactly the same as on v4.

    A few years back my ISP didn't properly support prefix delegation, and the only way to get IPv6 to work was in "Passthrough" mode. My router (Asus ax86u) was really unclear about what passthrough mode meant, but I think that it might also disable the IPv6 firewall (I have read conflicting reports, and was never able to find an authoritative answer). The setting is buried pretty deep in the router and off by default, so I don't think most people would enable it by accident, but a quick google search does show lots of people on forums enabling Passthrough mode to get IPv6 working. So seems pretty dangerous and there is no warning or anything [1] that you are potentially exposing every device on your network to the internet (if that is indeed what it does).

    Fortunately, my ISP has since implemented proper support for prefix delegation.

    [1] https://www.asus.com/support/faq/113990/

Dagger2  10 hours ago

So, what side effect of NAT is making your server unreachable here? It sounds like you could turn the NAT off and it would be exactly as unreachable as it was when the NAT was on.

(Just to double-check... have you tried DHCPv6-PD? ISPs will normally only give your router a single IP on its WAN interface, or sometimes no IP on the WAN. Getting the routed prefix for the LAN-side networks involves doing a PD request, which is separate from requesting the WAN IP.)

  • Spivak  7 hours ago

    With NAT your device does not have a publicly routable address. Attackers have no way of contacting you at all. Without NAT you have a publicly routable address and attackers can try reaching out to your device. You rely entirely on your device's and your router's firewall.

    So it's not really about NAT although it ends up being a consequence—it's about having a truly private network "air gapped" from the public internet.

    • Dagger2  6 hours ago

      No, NAT only affects which IP your connections appear to be coming from. It doesn't change which IPs your devices actually have.

      The person I replied to said that they only get a single v6 address. If that's true, it doesn't matter whether they have NAT or not; their network isn't going to have publicly-routable addresses either way.

      If your network is air-gapped then no connections will be happening at all, in or out... and if you connect a router to both the Internet and to your network, and enable routing on it, then it's not air-gapped any more.

      1 reply →

betaby  11 hours ago

> My ISP does not give me an IPv6 address, only a single IPv6 which all my network devices have to NAT through.

Interesting how that works in your case. Is your router gives your devices IPv6 from fc00::/7 and then NAT them? It would be a rather rare case.

tucnak  5 hours ago

> my ISP still gives me only a single IPv6 address

This is criminal, and also incredibly uncommon. You should talk to your ISP, it's most definitely a misconfiguration of some kind, if not deliberate torture. Normally you get a /56 at least because there are so many and they cost nothing.

  • aidenn0  4 hours ago

    Datapoint of 1: With Cox as my ISP, I can get a /64 just by configuring my DHCPv6 client to request it, but if I wanted a /56 or /48 I would have to contact someone at my ISP.

globular-toast  4 hours ago

What ISP gives you a single IPv6 address? That's incredibly comical. An ISP would have at least 79 billion billion billion addresses and they are giving you one?!

If I run a webserver on my network I know it's unreachable from the internet unless I specifically allow inbound traffic to it at my firewall. I get to use the actual security features with sensible terminology instead of silly things like "port forward".