IPv6 Implementation

[LynK]

Hey guys,

Any of you implement IPv6 yet? If so... how far have you gotten, and what complications have arisen?

[deanwebb]

On the firewall, IPv6 is mentioned mostly in the context of blocking IPv6 tunneling in IPv4 packets.

[icecream-guy]

we've got all (well most) of our users browsing the internet via IPv6, and all the needed infrastructure between the users and the internet are running IPv6.
Most of our public services are all IPv6. This is all dual stacked of course. We are trying to meet US government mandates for IPv6 deployment.  Most public companies, I've found don't need it and really don't care about IPv6. I assume they don't see any value or increased revenue to counteract the expense to implement.

[deanwebb]

we've got all (well most) of our users browsing the internet via IPv6, and all the needed infrastructure between the users and the internet are running IPv6.
Most of our public services are all IPv6. This is all dual stacked of course. We are trying to meet US government mandates for IPv6 deployment.  Most public companies, I've found don't need it and really don't care about IPv6. I assume they don't see any value or increased revenue to counteract the expense to implement.

You, sir, are correct!

Why change anything if IPv4 with NAT still works just fine?

[Otanx]

We got space assigned about two years ago. Came up with an addressing plan, and got my edge routers running. We have one peering online, but that is it. As ristau said, it isn't a priority.

-Otanx

[LynK]

Honestly... it seems like if we get all of the federal subnets onto IPv6 we should be good for about another 500 years or so.


@ristau,

In regards to design structure in IPv6 to me I do not feel comfortable having my end users be able to route directly to the internet, without first going through a NAT. What are you doing for the client side? Are you using site-local unicast addressing or global unicast addressing for the hosts?

[icecream-guy]

Honestly... it seems like if we get all of the federal subnets onto IPv6 we should be good for about another 500 years or so.


@ristau,

In regards to design structure in IPv6 to me I do not feel comfortable having my end users be able to route directly to the internet, without first going through a NAT. What are you doing for the client side? Are you using site-local unicast addressing or global unicast addressing for the hosts?

global unicast, users are forced through a proxy so they never touch the internet.  proxy queries web content on their behalf.

[deanwebb]

Honestly... it seems like if we get all of the federal subnets onto IPv6 we should be good for about another 500 years or so.


@ristau,

In regards to design structure in IPv6 to me I do not feel comfortable having my end users be able to route directly to the internet, without first going through a NAT. What are you doing for the client side? Are you using site-local unicast addressing or global unicast addressing for the hosts?

global unicast, users are forced through a proxy so they never touch the internet.  proxy queries web content on their behalf.

That sounds like a very good trick to file away in my bag o' tricks, should I ever need it one day. Thanks!

[Otanx]

Remember NAT is not security. The firewall should define what is allowed. There are a lot of ways to bypass NAT if that is all your rely on.

-Otanx

[LynK]

@Otanx

I understand your post definitely, but how does one "Bypass" NAT to access a RFC1918 address across the internet (besides hijacking a DMZ server / External facing FW) (or someone backdooring into a machine because of a dumb user)

NAT definitely does provide some security. But I would not rely on it alone.

[Otanx]

It is mostly the stupid user problem. Here is a good article that discusses how to bypass NAT - http://www.brynosaurus.com/pub/net/p2pnat/ I do admit that these techniques require somehow getting software to run on the client, but stupid users make that trivial. The problem is people say I have NAT I am secure not realizing it does not prevent malware from going outbound. You need to limit outbound ports, and use some kind of proxy, or DNS filtering to prevent that. You say you don't rely on NAT alone, and I would counter that after you apply these other mitigations that NAT gives you nothing. NAT is better than just being wide open on the internet, but instead of a NAT device just get a basic firewall with no NAT, and you are just as secure.

-Otanx

[wintermute000]

Exactly. NAT gives you no more security than a properly configured firewall policy, since you're going to want the latter anyway, why bother with NAT, SPOF/ bottleneck, broken apps/buggy ALGs etc. Also ipv6 pretty much assumes no NAT, that was a key goal.

[Dieselboy]

I implemented it but noticed poor performance when accessing network shares from Windows 10 to Windows Server 2012 via SMB://. I didn't have time to troubleshoot, so I just stripped it out instead. This traffic would have been routed via our core L3 switches (Nexus 3048) so may be I missed something there or the other possibility is that Windows client or server was being weird. But ipv4 copy would achieve 100mb/s and ipv6 copy would achieve <1kbps then go up to multiple mb/s then back down to <1kbps so seems like something dodgy somewhere It's very low priority for me but I will get around to looking into it. When I eventually do, if it's a bug on Windows then it may have been identified and respolved with a windows update anyway.

At the moment, I'm ipv6-ready and will increase the priority if there's a business use-case. None at the moment. I'm not even running it at home at the moment because I've got a new ASA and not enabled it (v6) on there. But will need to implement at home if I do any more ipv6 work in the office, so I can do some external testing.

[Dieselboy]

Regarding nat and security, I can unerstand where people come from in saying that nat gives a margin of security but the official word is that no it doesnt. But the official word doesn't seem to identify use cases:

1. nat pool on a router

2. nat on a firewall (required for ipv4, usually)

Now for point 1, you may nat 192.168.99.0/24 to 172.16.22.0/24 on a router for any reason. Each host IP range is natted bidirectionally, meaning that although a source IP can "hide" behind another IP making the source address obscure, there's no security benefit because it's a 1 to 1 translation. If you know the subnet, you can send a TCP SYN to the natted address and it will reach the destination. Absolutely zero security benefit.

For point 2, let's say you have 192.168.99.0/24 as a source and it's natted behind your firewalls single public routable address of 1.1.1.1/32. In this case, even if the firewall was completely turned off with ip any any allow between inside and outside and between outside and inside, a TCP SYN sent to 1.1.1.1 on any port wouldnt be able to reach any inside host for the reason that the firewall wouldnt know how to translate the packet to an inside host. There would be no matching nat session and so it should be dropped. To me this is a marginally more secure but not really. If there was a matching session, and no inspection I believe the TCP SYN would be natted and transmitted to the inside host. The attacker doesn't need to know the inside hosts real IP address to make an attack, so saying nat provides security for that reason is wrong.

Thoughts?

[Otanx]

As for point two you have two cases. Case one is the NATed system needs to allow inbound connections. So you have a static NAT configured and outside can get to them. The second case is a system that needs no inbound connections. In this case your firewall should be dropping inbound traffic you don't need/want. Don't assume that the NAT translation table is going to protect you. If the client does not listen on port 80 the firewall should not allow port 80 inbound.

-Otanx