Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Sohcahtoa82 6 hours ago

This is going to depend on the router and on IP distribution.

My ISP does not give me an IPv6 address, only a single IPv6 which all my network devices have to NAT through.

NAT is not intended to be a security feature, for sure, but it creates security as a side effect. If I start up a web server on one of my devices, I know that it is unreachable from the Internet unless I go out of my way to set a port forward on my router.

But...if my ISP decides to start handing out IPv6, that can change. If each of my devices gets an Internet routable IPv6 address, at that point, that security-as-a-side-effect is not guaranteed unless my router has a default-deny firewall. I would hope that any routers would ship with that.

But if my ISP still gives me only a single IPv6 address and I'm still needing to use NAT, then I'm guaranteed to still effectively have a "default deny" inbound firewall policy.

tadfisher 5 hours ago | parent | next [-]

> If each of my devices gets an Internet routable IPv6 address, at that point, that security-as-a-side-effect is not guaranteed unless my router has a default-deny firewall. I would hope that any routers would ship with that.

They usually do, and they also ship with the most wonderful technology ever specified within a 67 MB compressed archive [0]: UPnP! Now your attacker's job is to convince you to initiate an outgoing connection, which automatically forwards an incoming port to your device behind the NAT and bypassing the router's default-deny firewall! Nothing has ever gone wrong with a zero-configuration port-forwarding protocol from the 1990s rammed through the ISO!

[0]: https://openconnectivity.org/developer/specifications/upnp-r...

Sohcahtoa82 32 minutes ago | parent [-]

That's an entirely different attack scenario. To succeed at that attack, my computer would already need to be running malware. At that point, they've already won.

ImPostingOnHN 14 minutes ago | parent [-]

Or you visit a webpage that makes a request to an arbitrary server on an arbitrary port while not running a default-deny application firewall

Gigachad 4 hours ago | parent | prev | next [-]

Every router I’ve ever used has blocked incoming connections on v6 exactly the same as on v4. Really the only difference is you can have multiple devices on your network allowed to receive on the same port if you want.

freetime2 an hour ago | parent | next [-]

> Every router I’ve ever used has blocked incoming connections on v6 exactly the same as on v4.

A few years back my ISP didn't properly support prefix delegation, and the only way to get IPv6 to work was in "Passthrough" mode. My router (Asus ax86u) was really unclear about what passthrough mode meant, but I think that it might also disable the IPv6 firewall (I have read conflicting reports, and was never able to find an authoritative answer). The setting is buried pretty deep in the router and off by default, so I don't think most people would enable it by accident, but a quick google search does show lots of people on forums enabling Passthrough mode to get IPv6 working. So seems pretty dangerous and there is no warning or anything [1] that you are potentially exposing every device on your network to the internet (if that is indeed what it does).

Fortunately, my ISP has since implemented proper support for prefix delegation.

[1] https://www.asus.com/support/faq/113990/

simoncion 26 minutes ago | parent [-]

I got curious about what "passthrough" might be doing and found this assertion [0], which reminded me of the existence of '6relayd' [1]. So I assume that that mode relays the RAs & etc, but replaces the link-local address in the RA & etc with that of the relaying interface.

[0] <https://www.snbforums.com/threads/ipv6-passthrough-disadvant...>

[1] <https://github.com/Yamatohimemiya/6relayd>

valleyer an hour ago | parent | prev [-]

The Apple AirPort Extreme didn't by default until recently: https://support.apple.com/en-nz/103996

Dagger2 5 hours ago | parent | prev | next [-]

So, what side effect of NAT is making your server unreachable here? It sounds like you could turn the NAT off and it would be exactly as unreachable as it was when the NAT was on.

(Just to double-check... have you tried DHCPv6-PD? ISPs will normally only give your router a single IP on its WAN interface, or sometimes no IP on the WAN. Getting the routed prefix for the LAN-side networks involves doing a PD request, which is separate from requesting the WAN IP.)

Spivak 2 hours ago | parent [-]

With NAT your device does not have a publicly routable address. Attackers have no way of contacting you at all. Without NAT you have a publicly routable address and attackers can try reaching out to your device. You rely entirely on your device's and your router's firewall.

So it's not really about NAT although it ends up being a consequence—it's about having a truly private network "air gapped" from the public internet.

Dagger2 an hour ago | parent [-]

No, NAT only affects which IP your connections appear to be coming from. It doesn't change which IPs your devices actually have.

The person I replied to said that they only get a single v6 address. If that's true, it doesn't matter whether they have NAT or not; their network isn't going to have publicly-routable addresses either way.

If your network is air-gapped then no connections will be happening at all, in or out... and if you connect a router to both the Internet and to your network, and enable routing on it, then it's not air-gapped any more.

betaby 6 hours ago | parent | prev [-]

> My ISP does not give me an IPv6 address, only a single IPv6 which all my network devices have to NAT through.

Interesting how that works in your case. Is your router gives your devices IPv6 from fc00::/7 and then NAT them? It would be a rather rare case.