This is a preliminary presentation on the requirement of NAT for enterprise deployment

1. IPv6 Enterprise Security:
The NAT Returns
Sanjeev Gupta
Vice-Chairman
IPv6 Forum (Singapore)
sanjeev@dcs1.biz

2. IPv6 Review
 It will happen
 In our careers
 In our ISPs
 In our enterprises
 On our consumer devices
 In things we cannot think of yet.

3. IPv6 Review
 It is happening
 ISPs are turning it on, to offload traffic
from IPv4
 Alternative is to run CGN or NAT 444,
both of which are expensive, and short-
term
 31% of Verizon Mobile traffic is over
IPv6, with users not realizing (Apr 2013)
 Your “enterprise” OS have it turned on!

4. IPv6 Review
 Recent news
 Starhub has turned on 6to4 on MaxOnline, so
your home router has IPv6
 And without your knowledge, therefore, so may
your home PC
 So what is IPv6, and how does it differ
from IPv4?

5. IPv6 vis-à-vis IPv4
 Some things remain the same
 The concepts of Routing, Networks, and the 7-
layer OSI Stack. Firewalls, TCP, UDP, all remain
the same.
 Enough things change
 The definitions of default routers
 Address assignments
 Neighbour Discovery
 And the entire language changes …

6. IPv6 vis-à-vis IPv4
 Examples of minor changes
 Cisco: show ip becomes show ipv6
 Examples of major changes
 Multicast
 Need to understand Scopes
 Multiple ways to write the same IPv6 address
 2405:FC00:0000:0000:0000:0876:0001:0053
 2405:FC00:0:0:0:876:1:53
 2405:FC00::876:1:53
 IPv6 devices will autoconfigure
magically!

7. IPv6 Security Implications
 Autoconfiguration
 As devices set themselves up, they will
start talking to each other, even when
you may not want them too.
 Routers get discovered, and used.
 Multiple Routers on a link are not only
possible, they are likely
 Network discovery is easier, which may
be good or bad.

8. IPv6 Security Implications
 Rouge Routers
 Similar to the problem of rouge DHCP
servers in IPv4
 A rouge router can override your real
router
 Reasonably easy to setup MITM with
SLAAC
 DAD conflicts
 A rouge host can use DAD to block any
other host from assigning an IP address.

9. IPv6 Security Implications
 Global Routability
 Since we have as many IPv6 addresses
as we need, we would like (and are
encouraged) to use Globally Routable
Unicast Addresses
 Hence, we say goodbye to the RFC1918
addresses
 But this opens up a massive hole on our
edge!

10. IPv6 and NAT
 NAT is generally a bad thing
 Everyone says this, from the IETF to me!
 NAT breaks many things, and makes
some protocols harder to run or debug
 SIP: STUN, ICE
 VNC: Teamviewer, etc
 Even FTP and multi-player games
 But NAT is good for one thing: a “default
deny incoming” policy.

11. IPv6 and NAT
 Default Deny: we allow all outgoing (and
related), we deny all incoming
 Why do we need this? Because host
firewalls are mis-configured, non-auditable,
or non-existant
 Currently, anyone with a server/listener on
their host, cannot have packets routed in
from the Internet: RFC1918 is non-routable
 Most SME IT managers cannot manage a
stateful FW, the number of rules would be
impossible to track part-time.

12. IPv6 and NAT
 One solution (the simple and correct
one) is to use host-based firewalls
 This works for your Server, PC, Laptop
 Does your Network Printer have a firewall?
 Does your Attendance Fingerprint Scanner?
 Alternative is to implement rules on
your edge firewall
 With SLAAC, do you know what the
printer’s current IPv6 address(es)
 Do you know your CFO’s?

13. IPv6 and NAT
 Alternative 1:
 Turn off SLAAC, either use manual addressing(!)
or DHCPv6
 Maintain rule tables in firewall, and spend all day
opening and closing ports (there are lots of
them)
 BTW: make sure no one has admin control over
his laptop, he might change his IP address.

14. IPv6 and NAT
 Alternative 2:
 Use Unique Local Addresses (ULA)
 Pick a 48-bit number randomly
(1111:2222:3333)
 Concatanate to fd00::/8, to get a 64-bit
prefix (fd00:1111:2222:3333::/64)
 SLAAC away!
 FD00 is reasonably unique, but non-
routable
 NAT away (as you have been doing)
between your Global IPv6 address
(singular) and the ULAs inside.

15. IPv6 and NAT
 Alternative 2 (cont):
 Do a 1-to-1 NAT
 NAT away (as you have been doing)
between your Global IPv6 address (singular
or subnet) and the ULAs inside
 Deny all incoming, except explicitly decided
 You can examine Ports, or not
 If your Global range changes, when you
change ISPs, you do not need to
reconfigure the LAN
 Security becomes managable, again.

16. IPv6 and NAT
 Disadvantages of #2 (ULA+NAT)
over #1
 You are still not Edge-to-Edge, which was a
major driver for IPv6
 You will be sneered at by your smarter colleagues
 BitTorrent will be slower
 People running servers need to come talk to you.

17. IPv6 and NAT
 Advantages of #2 (ULA+NAT) over
#1
 Your old model of NAT being Firewall works
 Default deny for incoming (Local addresses, even
if they leak out, will not be routed by your ISP)
 Your printer is cleanly visible inside your network,
yet not accesible from the outside
 You can use SLAAC!!!
 You do not need PI address space, you can use
your ISPs, avoid renumbering
 People running servers need to come talk to you.

18. IPv6 and NAT: The Sequel
 In an ideal world, we would do away
NAT 
 But in an ideal world, we would not
need Firewalls 
 It is very likely that NAT will remain,
but in newer guises
 Maybe NAT64? NAT46? NAT66?
 Just when you thought he was dead, he returned!

19. Freddy Krueger returns!