[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does IPv6 preclude use of a NAT gateway?

On 12/07/11 07:58, Paul E Condon wrote:
> On 20110710_225108, Erwan David wrote:
>> On 10/07/11 20:34, Randy Kramer wrote:
>>>> Also, ipv6 firewalling is very annoying on the gateway (due to
>>>>  the icmpv6 filtering which must be done right).  When 
>>>> possible, get a script that does most of it right for you (or 
>>>> check RFC 4890).
>>> Sounds like good advice.
>>> Randy Kramer
>> shorewall6 is quite good at setting the rules for IPv6.
> I am puzzled by this discussion. Without going into any features of 
> IPv6, the reason NAT works for IPv4 that I have been taught is the 
> 192.168.xxx.xxx are illegal on the actual internet.

Correction (pedantic semantics), not *illegal*, just not supposed to be
used in Class A environments (because it won't work). You *will* find
class C addresses used on internet exposed boxen - you just won't be
able to load the links (DNS doesn't cope with duplicate IP entries).

> No router is supposed to do anything but drop them. And your NAT box
>  acts as a proper internet router on the side that is connected to 
> the internet. So anyone on the outside cannot send messages to your 
> hosts on the inside because any messages will be dropped long before 
> they get near a box on the inside. It is not NAT, by itself, that 
> offers protection, but NAT with the sure knowledge that packets on 
> the inside are always illegal addresses in the outside. (Proper 
> internet legal address packets ARE legal on the inside. That is how 
> packets requesting web pages from a web site get from your host to 
> your router/NAT.)

An "alternative" explanation is that NAT makes addresses available that
DNS can't resolve. eg, many boxen behind IPV4 routers have an IP address
of 192.168.x.x (Class C) - but their modem has a class A address that is
listed with DNSs.
Think of it as envelopes and letters - your boxen writes a letter to
Google asking for search results, puts it in an envelope addressed to
Google with your boxen's (Class B or C) IP address as the sender - then
sends the envelope to your router. Your router (even if there's only a
single "route") removes your letter from the envelope, pins the envelope
to it's "don't forget" corkboard, and puts the original letter into a
new envelope addressed to Google, but with it's (the router's modem's)
Class A address as the sender. That's one side of NAT, and nothing to do
with firewalling.
(to simplify I've left out a few details and "router" just means an
abstracted entity that does NAT for you)
Google gets the "envelope", opens it, reads the letter, and writes a
reply - the reply is inserted into a new envelope addressed to your
router - and sends it off. (note, I'm not treating your modem and router
as one for simplicity - and not even trying to explain UMTS).
Your router reverses the sending process to send your boxen Goggle's
reply (your requested search results).

Your firewall determines what packets from either direction are allowed
through. NAT only provides the protection of turning off the lights to
stop burglars - poor analogy, but my point is that there are many ways
of seeing in the dark house without using your light (where light is
externally exposed IP addresses).

> Is there something wrong, or incorrect, about this?

A little - if your firewall is not enabled properly than NAT won't stop
outside packets from machines behind it (sic). It just requires a little
"bumping around in the dark" or "an inside man with a secret beacon".
One of the reasons people believe NAT *is* protection is a less than
full understanding of how it works coupled with the "nothing's happened
to me, yet" belief. The latter is like declaring you don't have cancer,
or the bloke who jumps of the 10 storey building - heard declaring "so
far so good" while passing the 4th floor ;-p       i.e. penetration of a
NAT addressed network from the internet does happen - it's just not
simple - for the most part it requires "one-stroke" attacks to succeed.

Apropos of little - it's the sort of "non-thinking" that inspires people
to believe that hiding hacksaws and boltcutters makes Kensington ==
security (a bit of paper will open them)

NOTE: IP addresses are not the only way to address a particular machine
from a network...

Apologies for the lack of succinctness - hope your answer is somewhere
amongst all those words.


What did moths bump into before the electric light bulb was invented?
Boy, the lightbulb really screwed the moth up didn't it? Are there moths
on their way to the sun now going, "It's gonna be worth it!"
~ Bill Hicks

Reply to: