• @pivot_root
    link
    English
    55
    edit-2
    3 months ago

    No NAT doesn’t mean no firewall. It just means that you both don’t have to deal with NAT fuckery or the various hacks meant to punch a hole through it.

    Behind NAT, hosting multiple instances of some service that uses fixed port numbers requires a load-balancer or proxy that supports virtual hosts. Behind CGNAT, good luck hosting anything.

    For “just works” peer to peer services like playing an online co-op game with a friend, users can’t be expected to understand what port forwarding is, let alone how it works. So, we have UPnP for that… except, it doesn’t work behind double NAT, and it’s a gaping security hole because you can expose arbitrary ports of other devices if the router isn’t set up to ignore those requests. Or, if that’s not enough of a bad idea, we have clever abuse of IP packets to trick two routers into thinking they each initiated an outbound connection with the other.

    • ᕙ(⇀‸↼‶)ᕗ
      link
      fedilink
      English
      33 months ago

      can you tell me if any device in an IPv6 LAN can just assign itself more IP v6 adresses and thereby bypass any fw rule?

      • @pivot_root
        link
        English
        10
        edit-2
        3 months ago

        IPv6 has two main types of non-broadcast addresses to think about: link-local (fe80::) and public.

        A device can self-assign a link-local address, but it only provides direct access to other devices connected to the same physical network. This would be used for peer discovery, such as asking every device if they are capable of acting as a router.

        Once it finds the router, there are two ways it can get an IP address that can reach the wider internet: SLAAC and DHCPv6. SLAAC involves the device picking its own unique address from the block of addresses the router advertises itself as owning, which is likely what you’re concerned about. One option for ensuring a device can’t just pick a different address and pretend to be a new device is by giving it a subset of the router’s full public address space to work with, so no matter what address it picks, it always picks something within a range exclusively assigned to it.

        Edit: I butchered the explanation by tying to simplify it. Rewrote it to try again.

        • r00ty
          link
          fedilink
          63 months ago

          In most cases, the router advertises the prefix, and the devices choose their own IPv6. Unless you run DHCPv6 (which really no-one does in reality, I don’t even think android will use it if present).

          It doesn’t allow firewall bypass though, as the other commenter noted.

          • Blaster M
            link
            English
            3
            edit-2
            3 months ago

            DHCPv6 is very much in use with large ISPs. SLAAC only lets you get a single /64 (one network) from the ISP, but if you use DHCPv6, which is also provided ISP side, you can often request a /60 to get you 16 networks to use. Also, DHCPv6 doesn’t base the IPv6 address off the MAC address like SLAAC does, so it is better for device privacy.

            Why Android does not support DHCPv6 is beyond me. It’s honestly quite ridiculous as it makes configuring LAN-side DNS and other things a lot easier.

            • r00ty
              link
              fedilink
              43 months ago

              Dhcpv6-pd is used by isps for prefix delegation, which most routers support now (not so when my isp first started with it).

              But for advertising prefixes on a lan most networks use router adverts.

              They’re different use cases though.

          • @pivot_root
            link
            English
            23 months ago

            Yeah, I butchered my answer by trying to simplify the process. I rewrote it in a hopefully more accurate but still simple to understand way.

            • r00ty
              link
              fedilink
              3
              edit-2
              3 months ago

              Yep, it’s all good. In my opinion, IPv6 routers should just be dropping incoming connections by default. If you want to run services you give your machine a static IPv6 and open ports on that IP/port specifically. It’s actually easier than NAT because you don’t need to translate ports and each IP can use the same ports (multiple web servers on 80/443).

              I do agree that the average joe is going to expect NAT level security by default and that would provide that.

              • @pivot_root
                link
                English
                33 months ago

                I absolutely agree with you on all points here.

                From a security perspective, allowing all incoming connections by default is unnecessarily exposing devices to a hostile environment. The average Joe isn’t going to understand the risk unless somebody explained it as “it’s like posting your home address on 4chan and hoping nobody manages to pick your front door lock,” and they’re likely never going to take advantage of the benefits that come from having their device be globally reachable.

                Another benefit to not having to deal with NAT is that you can actually host services using the same protocol (e.g. HTTP) on multiple machines without having to resort to alternate port numbers or using a proxy with virtual host support.

          • @[email protected]
            link
            fedilink
            English
            23 months ago

            Unless you run DHCPv6 (which really no-one does in reality)

            Question for you since I have very little real world IPv6 experience: generally you can provide a lot of useful network information to clients via DHCP, such as the DNS server, autoconfig info for IP phones, etc. how does a network operator ensure that clients get this information if it’s not using DHCPv6?

            • r00ty
              link
              fedilink
              23 months ago

              You can include some information in router advertisements, likely there will be rfcs for more. Not sure of the full list of stuff you can advertise.

              For sure I’m quite sure I had dns servers configured this way. I’ll check when not on a phone to see what options there are.

              • @pivot_root
                link
                English
                1
                edit-2
                3 months ago

                If I recall correctly, you can do stateless DHCPv6 to just hand down a DNS server without also managing the devices’ IP addresses.

                • r00ty
                  link
                  fedilink
                  33 months ago

                  You can, and there’s a specific flag to set on nd/ra to tell the client to get other information from djcpv6. But so far I’ve not made it work and also, it likely won’t work on android.

                  Really the way forward is for routers and devices to implement the same options as exist on dhcp. But, time will tell how that gets on.

                  This is a weakness of ipv6 but it’s really the lack of widespread implementation that’s behind this. If we were all using it, there would be more onus to get this stuff working.

                  • @pivot_root
                    link
                    English
                    33 months ago

                    What exactly does Google do for Android, then? Hardcode the IPv6 address of their own DNS service, or fall back to pulling AAAA records over IPv4?

            • Blaster M
              link
              English
              13 months ago

              DHCPv6 is very definitely used with ipv6 and isps, as DHCPv6-PD is needed anyway to send prefix allocations to the router

              DHCPv6 does the same thing DHCP does, just for v6 addresses. This includes pushing domain suffix and dns servers.

              There is also Router Advertisement, which tells the discovering client that it is a router, what the prefix is, if there is a DHCPv6 server, and what the DNS is. As an alternative to DHCPv6, the client can set their own address based on the combination of the prefix and their MAC address, the SLAAC address. The way IPv6 routing tables are built, the router can always find a route by asking upstream on the address, and upstream only has to forward downstream on an address.

            • r00ty
              link
              fedilink
              33 months ago

              Best thing to do to test the firewall is run some kind of server and try to connect to your ipv6 on that port.

              Like I’ve said in other posts, routers really should block incoming connections by default. But it’s not always the case that they do.

        • r00ty
          link
          fedilink
          33 months ago

          Honestly, I think most fear of IPv6 is just borne out of ignorance and assigning their understanding of IPv4 onto IPv6 and making assumptions.

          • @pivot_root
            link
            English
            53 months ago

            assigning their understanding of IPv4 onto IPv6 and making assumptions.

            This is also what makes it more difficult to learn, unfortunately.

            • r00ty
              link
              fedilink
              13 months ago

              That’s true. But there are not many differences. It’s just, the differences there are, are crucial to understanding it.

      • Blaster M
        link
        English
        33 months ago

        Not if your firewall router is setup right (strict mac address filtering)

        • ᕙ(⇀‸↼‶)ᕗ
          link
          fedilink
          English
          13 months ago

          so back to the beginning of this thread: ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers? and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses that would overcome lazy output fw rules?

          thanks for all the explaining here so far!

          or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

          so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that’d be cool, but i dont understand how.

          • 2xsaiko
            link
            fedilink
            English
            43 months ago

            ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers?

            no

            and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses

            yes and this is not “escalating their permissions”, it is in fact the expected behavior with Privacy Extensions (RFC 4941) where devices will probably have multiple addresses at the same time that are used for outgoing connections

            that would overcome lazy output fw rules?

            any router that doesn’t have deny as the default rule for WAN->LAN traffic (probably not many) is trash, and if you’re filtering LAN->WAN traffic (not really usual for a home network) then you want default deny there too, but at that point that is not an ipv6 problem

            or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

            rogue dhcp is not an ipv6 exclusive problem

            so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that’d be cool, but i dont understand how.

            yes, firewall rules can work based on mac addresses, not sure exactly what you mean