I'll admit to not understanding this position. Without NAT, you could do the same sort of firewalling, where the inbound allow list is driven dynamically. The only thing I can think of is that not using NAT exposes more detail about an internal network. Is that the reason you're hinting at, or is the reason something else?

It's extremely funny how a network with NAT needs hole punching in the firewall and network without NAT sudenly doesn't have firewall at all. Like OK, in 1995 a router would have been a dedicated machine or appliance, but since 2005 anyone can buy a sub $30 device which routes, firewalls, provides a bunch a of (unnecessary) services... but suddenly incapable of firewalling if IPv6 is involved.

> but suddenly incapable of firewalling if IPv6 is involved.

It's been a few years but I've yet to see a consumer grade router that lets you mess with IPv6 firewall rules. I don't even know what these routers use for a default policy.

They all seem to have web ui's for IPv4 firewalls and port forwarding though...

Ever seen an average IPv6 firewall, even on $500 devices?

You can have dynamic prefix that can change with every moment on your wan interface, but then you have static IPv6 rules and you cannot specify something like use current prefix there.

So I understand if the first reaction is screw that.

Not OP but that’s how I think of it.

If my internal network is 10.0.0.0/8 and I have 100,000 hosts and a single IPV4 address that they all appear to be to the public Internet, I’ll sleep a lot better than if I had all 100,000 hosts with public routable IPV6 IP addresses attached to them.

Yes, you can depend on a firewall to protect you but at the very least it exposes information about your internal network and at worst opens you up to future firewall flaws.

I remember the days when people used to have every system have it’s own public IP address. People would scan for broadcast addresses of their networks and we got Smurf attacks as a result. Obviously those wouldn’t work with properly firewalled hosts but it still scares me.

This is why we have firewalls. My pfSense router e.g. blocks external access by virtue of it being a firewall with sensible defaults.

All routers w/ firewalls will/should have them.

Firewalls are fine but having the ability to make machines unroutable is even more powerful, no?

While I get that firewalls are probably safe like 99.99% of the time… I’ve gotta say, I just don’t trust software to not have vulns of some sort that someone important already knows how to break. So eg for a corporate network I would be hesitant to do this, for my personal network not so much (unlikely that a 3 letter agency gives a shit about what I do).

Additionally. Firewall changes can sometimes fail for whatever reasons so you might have accidentally exposed a node publicly for some time.

Making those nodes not reachable from the internet seems prudent. It’s like your office building has a public address but your office assignments don’t need to be public.

>Firewalls are fine but having the ability to make machines unroutable is even more powerful, no?

For the whole world there is absolutely no difference betwen routable address, non-routable address or even an absense of the machine... behind a firewall with drop all on a public interface.

Your statement doesn’t address the point you are responding to so it makes me think you completely missed the point you are replying to.

You are correct in theory. What you don’t seem to be taking into consideration are firewall vulnerabilities or other unknown things that could happen that make it different from a practical standpoint.

I started an ISP from the ground in 1996. I’ve seen a lot of weird stuff. You seem to just hand waive it away like firewalls are this perfect bastion of security.

Maybe you have more experience than I do?

where do you think the NAT and associated connection tracking is occurring exactly?

Anything smaller than a IPv6 /48 is effectively unroutable. Your ISP has to route smaller blocks, like /64s, privately (because only /48s hit public bgp). And then you have to route the /64 they assign you privately once again.

No. There is no difference between the two from a security point.

Even firewalls are just a last resort defense IMO. The primary thing is not having any crap listening on ports in the first place.

IPv4 with nat is effectively routing your 100,000 hosts through one of 4,294,967,296 possible IP prefixes (a /32).

IPv6 with a /64 routes one of 18,889,465,931,478,580,854,783 possible IP prefixes to your router. Everything that happens behind that is opaque. There are so many IPs in that prefix that people can't even guess which ones you're using. It's easier to guess internal IPv4 NAT addresses.

The internet can't see your IPs. "Publicly routable" doesn't mean much when you're talking about prefixes.

Unless you're planning to assign random IPv6 addresses for each connecton then it's not at all the same thing.

And anyways, when you have a NAT you're probably routing traffic through a level 4 balancer or jumphost or using a VPN somewhere in your LAN.

We assign IPv6 deterministically. Incrementing them is the most boring way to use IPv6 space.

You can also just start in the middle of a block and make a sequence of 10,000 IPs effectively unguessable.

I don't buy that keeping addresses private has much value, but IPv6 still isn't worse than NAT in that respect.

> Unless you're planning to assign random IPv6 addresses for each connecton then it's not at all the same thing.

SLAAC

SLAAC has an option to randomize, but it's a lot slower than per-connection.

As soon as one of the computers in the subnet initiates traffic outside the network, its IP address becomes public knowledge though, right? Doesn't matter how large the space is, that information leaks, whereas with NAT it doesn't.

Modern OS change their outgoing IPv6 address fairly often. They could grab 10,000 from the pool and rotate between them every second.

IPv6 addresses can be ephemeral? What, DHCP is assigning a whole range to each client? Didn't know that.

Pretty weird. For internal stuff I would be using IP addresses to identify peers. Ephemeral IP addresses in logs aren't very useful.

Some of our service providers require us to provide the IP addresses of our services to them for them to safelist. It’s stupid, but it’s not something we can control.

Rather than constantly update them as our servers change, we route through a NAT. I wouldn’t know how to do it with IPv6. Maybe the service provider could safelist a subnet?

They probably wouldn’t support that. Most non software heavy companies outsource these sorts of projects and to make changes to their systems requires a bunch of upfront capital costs which can be expensive so they will push back against changes unless you are big enough to force them to or you convince them of the merits of such changes.

Depending on the type of connection it's fairy easy to set up squid as a proxy for outbound connections so everything appears to come from the squid box which can have a static address and can be added to an allow list

>Maybe the service provider could safelist a subnet?

Yes, thats what prefixes are for. Although its unpractical in IPv4 world, in IPv6 it is the way to whitelist a range of ips.

Yes, of course.

Exposing your LAN confguration for the world to see is insanity, it's like hiding your private SSH keys in a password-protected Excel file.

And yes, you need both NAT and firewall. They're complimentary technologies and do not replace each other.

I mean, the original purpose of NAT was to let you move hosts between networks without renumbering them. No one really does that though, your laptop or phone happily renumber themselves when you move networks.

No one's going to use NAT for keeping IPv6 between networks.

Default deny from external access isn't an IPV4 NAT-only feature, but it does come out of the box.

The same would need to be set up for IPv6 and move on past that.

It's a firewall issue, not a protocol issue.

The devices I've seen have default deny for IPv6 as well.

Do you know you can have DENY FROM ALL by default in any IPv4 firewall?

Do you know what you would be hardly pressed to find a router without firewall not only in the year 2022, but in the year 2012 too, when there was 10G *switches* capable of routing AND firewalling traffic almost at the line rate?

> You need both.

No you don't.

You can have the public IPs on everything in your LAN... and still it would be completely inaccessible to the outside world. Because you know, firewalls exists.

> Exposing your LAN configuration for the whole world to see is insanity

Bullshit. BGP doesn't 'expose' your internal routing configuration and there is absolutely no other way for someone to see how exactly the things in your network. OSPF could be used for it, but it requires: 1) being right next to your router 2) be configured to send on the external interface.