| ▲ | dlcarrier 12 hours ago |
| As someone with a background in electronics who doesn't manage any internet-connected equipment but has multiple embedded devices connected to a WAN, I'm glad that IPv4 still seems to have a bit of life left in it. When IPv6 was developed, over 30 years ago, connecting everything to the internet seemed like a great idea. I know that IPv6 can be made secure, but I don't have the background or research time to learn how to do so, and the NAT-by-default of IPv4 effectively means that I get the benefit of a default-deny security strategy that makes it impossible to accidentally directly connect anything to the internet. I'm hoping I can keep using IPv4 until IPv8 or IPv4.5 or whatever comes next is developed with the modern proliferation of cheap insecure IoT in mind. For some background on why IoT products are so insecure: Hardware manufacturers don't really comprehend the idea of updates, let alone timely of security patches. Hardware has to work on the day of release, so everything is documented and tested to verify it will work. I have hardware with a TCP/IP stack that was released 20 years, (https://docs.wiznet.io/Product/Chip/Ethernet/W5500) and doesn't have a single errata published, despite widespread use. This is expected for every single component, for even the smallest 1-cent transistor, which has dozens of guaranteed performance characteristics laid out over several pages of documentation (https://en.mot-mos.com/vancheerfile/files/pdf/MOT2302B2.pdf). When manufacturers venture into a product that runs software, they don't realize that for a given complexity, working through undocumented or, worse yet, incorrectly documented APIs takes more time than the equivalent hardware development and documentation. I've worked on multiple projects where software bugs were fixed with hardware workarounds, because it's faster, cheaper, and easier to develop, test, document, retool, and add a few cents of bill-of-materials cost per product, than to get reliable output from the already-written library that's supposed to provide the functionality. The hardware TCP/IP stack that I linked to was developed at a time when it was the cheapest way to connect a low-power embedded system to a network. Modern low-power embedded systems have multiple cores running at hundreds to thousands of MIPS making the resources to run a softtware TCP/IP stack trivial, but the product still sells well, because when security is an absolute must, the hardware development and maintenance cost for the functionality is still cheaper than through software, even when there's no marginal cost to run the software. |
|
| ▲ | johnmaguire 12 hours ago | parent | next [-] |
| > the NAT-by-default of IPv4 IPv4 is not NAT-by-default. The reality of the world we live in today is that most home networks have a NAT, because you need multiple devices behind a single IP. That said, I agree: it's quite unknowable how many services I've turned on on local machines with the expectation that a router firewall sat between me and potential clients. But that doesn't go away with IPv6 - the NAT does, the router doesn't, and the firewall shouldn't either. For example, the default UniFi firewall rules for IPv6 are: 1. Allow Established/Related Traffic (outbound return traffic), 2. Block Invalid Traffic, 3. Block All Other Traffic You must explicitly open a firewall rule for inbound IPv6 traffic. NAT is not the firewall. |
| |
| ▲ | cyberax 9 hours ago | parent [-] | | > NAT is not the firewall. NAT _is_ a firewall. And a much safer one than IPv6 firewalls, because NAT will fail safe if misconfigured. | | |
| ▲ | johnmaguire 9 hours ago | parent [-] | | NAT is not a firewall: all it does is rewrite packets, it does not drop them. | | |
| ▲ | tyingq 3 hours ago | parent | next [-] | | You have to squint a little and see they mean that most consumer routers don't map inbound unsolicited packets to anything internal unless the user specifically configured it to. Which is basically a firewall. | |
| ▲ | jonathanlydall 8 hours ago | parent | prev [-] | | The article actually remarks on this kind of argument. While you are technically correct about NAT not being a firewall, it is in practice a widely used front-line defense which even if not “perfect”, it has indisputably
proven to be quite effective against a lot of malicious activity. Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors. Kind of like physical home security, a lot of it is very easy to bypass, but it’s good enough for the common threats. | | |
| ▲ | johnmaguire 8 hours ago | parent [-] | | > Against highly determined malicious actors you will of course want a proper firewall, but for 99% of people, NAT is enough to keep from being bothered by run of the mill malicious actors. Maybe, maybe not, but regardless 99% of people are not protected by a NAT. They are protected by a "proper firewall," which happens to support NAT (and typically, is enabled for IPv4 networks.) That is to say, while most home routers support NATs, they also ship with a default-deny firewall turned on. Typically, enabling NAT mappings also configures the firewall for users. But they are not the same thing and we need to stop conflating them because it causes a lot of confusion when people think that IPv6 is "open by default" and that IPv4 is "protected by NAT." It's not. They are both protected by your router using the same default-deny firewall. | | |
| ▲ | cyberax 8 hours ago | parent [-] | | This is BS. "Default deny" or "default accept" makes no practical difference with NAT. You can leave the "default accept" rule with NAT and you'll be perfectly fine except in some weird edge cases. That's because it's exploitable only if you control the next hop from the NAT router, which is typically within the ISP infrastructure. So the attacker will need to either hack your ISP or mess with your NAT router's physical uplink. Both cases require a very dedicated attacker. | | |
| ▲ | johnmaguire 8 hours ago | parent [-] | | A default deny firewall is a good idea to protect services everywhere in your network, including those which run on the router itself (e.g. many routers run a local DNS server.) Without NAT, packets are not dropped, they simply do not have their destination rewritten to another device on the network. The traffic is still destined for the router and will be processed by it. This is why routers ship with a default-deny firewall rule. NAT is not a firewall. It is address translation. It will not drop packets. | | |
| ▲ | cyberax 5 hours ago | parent [-] | | Sure, a default deny is a good idea. However, it's not _critical_. If you forget to enforce it on your NAT router, you'll be fine. And if you are behind a CGNAT, it's even safer. In IPv6 it becomes absolutely essential. If you forget to include it, your network becomes wide open. And you don't have an easy way to detect this because you need an external service to probe your network. > NAT is not a firewall. It is address translation. It will not drop packets. Yes, it is a firewall because it enables the address space isolation. |
|
|
|
|
|
|
|
|
| ▲ | ianburrell 11 hours ago | parent | prev | next [-] |
| IPv6 is just as secure as IPv4. NAT usually combines address translation with a stateful firewall. I remember when they were separate things. IPv6 has the stateful firewall, all the same security but without the mess of address translation. Also, if you have devices connected to WAN, then they are insecure because they are not NATed. |
| |
|
| ▲ | huslage 9 hours ago | parent | prev | next [-] |
| NAT is not a security measure at all. It just obscures what's behind a firewall, but that is leaky and not reliable from a security perspective. It might make you feel better, but that is not security. |
| |
| ▲ | dlcarrier an hour ago | parent | next [-] | | A firewall has nothing to filter, if nothing is routed to it. My IoT devices communicate with a server running in my network. As long as I am behind an IPv4 router, their communications to that server will never make it to the internet, and any communications from the internet have no way of addressing any device on my network. I literally can't add any security to a firewall because there's no communications to handle. Sure, I have personal computers on the same network, which aren't on a separate VLAN because I'm not familiar enough with my router to set that up, so a compromised PC could forward attacks to my IoT devices, but the firewall would be useless at that point. If I have an IPv6 router, I can miss-configure it in a way where all of my internal communications between IoT devices work as expected, but they also have discoverable addresses on the internet. This would give the firewall something to do, but I'd rather there be no route in the first place. Also, if I trusted myself to properly configure my router for IPv6, I would put all of my IoT equipment on ULAs, which much like an IPv4 NAT would leave me with nothing to configure in the firewall. If I were to take your claims at face value, using GUAs with packet filtering is far more reliable and secure than ULAs, and that seems preposterous. A properly configured firewall for sure adds security, but isolation always wins out. | |
| ▲ | pixl97 8 hours ago | parent | prev [-] | | Yea, people consider NAT a firewall, but at best it stops direct connections from outside. People use this as a rationale to non secure individual devices on the network. Then the moment a single device on your network is compromised (do you really trust that Chinese IOT device?) every host that doesn't have its own firewall is at risk. With IPv6 you at least say "Holy crap, anyone could connect to this, I better secure it from outside and inside attacks" which is how actual security works. |
|
|
| ▲ | simoncion 11 hours ago | parent | prev | next [-] |
| > I know that IPv6 can be made secure, but I don't have the background or research time to learn how to do so, and the NAT-by-default of IPv4 effectively means that I get the benefit of a default-deny security strategy that makes it impossible to accidentally directly connect anything to the internet. To get the "unsolicted traffic is rejected or dropped" behavior of the typical IPv4 NAT, forward inbound traffic that's related to an established connection and drop or reject the rest. You can also use the exact same NAT techniques you use for IPv4 addresses with IPv6 addresses. The only differences are that instead of you using RFC 1918 Private Internets addresses (10./8 and friends) you use RFC 4193 ULA addresses (fd00::/8), and you need the usual NAT rules on your edge router, except for IPv6, rather than IPv4. Remember that IPv6 is still IP, just with larger addresses. It's recommended that you generate your ULA subnet rather than selecting one by hand, but absolutely nothing stops you from choosing fd::/64. If you're statically assigning addresses to your LAN hosts, then your router could be -say- fd::1 and you count up from there. Also note that DHCP exists for IPv6 [0] and is used by every non-toy OS out there except for Android. > I'm hoping I can keep using IPv4 until IPv8 or IPv4.5 or whatever comes next... IPvnext is not happening in either of our lifetimes. You're either going to have to buy edge gear that's set up with a "reject or drop unsolicited inbound forwarding traffic" firewall, or learn how to set it up yourself. Either path is not hard. Well, I guess there's secret option #3: "Die without doing either.". That's also not hard. [0] It has been around for nearly twenty-three years. |
| |
| ▲ | dlcarrier 4 hours ago | parent | next [-] | | Yeah, that's the kind of stuff that I know how it works from a network protocol standpoint, but have no clue how to configure on any given system, let alone verify I configured it correctly. I installed DD-WRT on my router, hoping it would be easier to set up. The user interface was much easier to navigate, but the labels of the settings were so sparse that I couldn't tell what anything was referring to, even knowing the terminology for the the lower layers of network protocols. I wouldn't be surprised if I never get around to working on it in my lifetime, as long as I can play around with electronics projects. Regarding Android OS, I'm not convinced it isn't a toy OS. I feel like they threw in the Linux kernel, but didn't bother including most of the useful features, and pat themselves on the back whenever they add one back. It took almost a decade before they figured out that you could install fonts without reinstalling the operating system. If they ever discover DKMS, we can stop throwing our phones away every few years, and have some actually useful hardware. Then again, it took Apple two years to add copy and paste to a phone, so maybe it's an industry-wide problem. If I could buy a modern Jornada 700 series running Linux or BSD, I'd never need to pick up an Android or iOS device again. | | |
| ▲ | simoncion 41 minutes ago | parent [-] | | > DD-WRT Since you're in the mood for experimentation, you might try OpenWRT. They even have a somewhat-fancy-shmancy configuration GUI called LuCI. |
| |
| ▲ | themafia 10 hours ago | parent | prev [-] | | I don't think you even need a stateful firewall. If it's an IoT device that's not meant to provide services to the internet then it seems to me you can just drop all non local subnet originated traffic and get most of the security you would expect with NAT. | | |
| ▲ | oasisbob 10 hours ago | parent [-] | | If you want to drop all non-local subnet originated traffic, you need to keep state. Otherwise, how can you tell which side originated the flow? Even that is only a partial solution - UPNP hole punching exploits holes in this logic to allow peer-to-peer traffic into a network which otherwise has a default-deny ACL. |
|
|
|
| ▲ | immibis 10 hours ago | parent | prev [-] |
| For some background why IoT products will stop being insecure: if you sell one in the EU, you're liable for all the damage your botnet causes. Luckily, common EU home routers have firewalls, even for IPv6. And it's so much easier to punch holes on purpose! Instead of messing with port forwarding and internal and external IP addresses, you can just say "this device is a server, please allow traffic on port 80 and 443, thank you" |
| |
| ▲ | dlcarrier 4 hours ago | parent [-] | | I don't see how the logistics for that would work. Even when you know what devices are part of a botnet, which itself is no easy task, each device in a botnet is only doing cents worth of damage, and mostly to the target, but product liability only applies to the owner of the product. Also, everyone I know that lives in Europe (although most of them not within EU countries) imports their IoT controllers directly from China or the US, because there is very little available from manufacturers in Europe. |
|
