Re: IPv6 Hardware Firewall

[Marco Moock]

Am Mittwoch, 09. Februar 2022, um 08:16:53 Uhr schrieb Mike Mocha:

> I noticed something interesting the other day. If you are a typical
> home user with cable or DSL Internet service, and your provider gives
> you native IPv6 addresses and you desire to firewall the devices on
> your home network; since IPv6 is not using NAT, every device behind
> your router gets a unique IP address, so you basically have to either
> close down all IPv6 ports at the main router, OR open all IPv6 ports
> at the router, and then run a software firewall on each device on the
> network! This is not practical or possible on many devices (gaming
> consoles, smart phones, IoT devices, etc).

It is only a security issue if a service listens on a TCP or UDP port.
If that is the case the problem is not IPv6, nor a missing firewall, it
is the device that runs a software that listens on the TCP/UDP port.

> I can prove this by opening and closing the IPv6 firewall settings on
> my provider's router. It's different with IPv4 of course. With
> IPv4, you only have one IP address for ALL the devices on your
> network. So you can setup the firewall to forward specific ports,
> and then setup services on individual devices using those ports.

For IPv4 with stateful NAT44, you have to enable a static NAT rule
(called port forwarding). Stateful NAT44 acts like an SPI firewall. If
you additionally operate a firewall, you also need to create a specific
rule there. For IPv6 without NAT, you only need to configure your
firewall, if enabled.

> The point of this post, and my question, is there any consumer grade
> router available that allows you to manage IPv6 ports on a device
> basis, such as by individual IP or MAC address? There must be,
> otherwise how can devices using IPv6 ever be effectively firewalled?
> If you want to expose only certain services over IPv6 (SSH for
> example) on one device in your network, how do you do this with
> consumer grade routers?

I know that some cable modem routers from Technicolor offer that
possibility. The default is an enabled SPI firewall. You can either
disable it completely or allow certain ports for IPv6 addresses.
The German Fritz devices also support such a firewall.

If you want a secure network, make sure not network services are
running you don't want.
Additionally, you can use a normal hardware firewall that is fully
configurable.

[Marc Haber]

Mike Mocha <mo...@mailexcite.com> wrote:
>The point of this post, and my question, is there any consumer grade
>router available that allows you to manage IPv6 ports on a device basis,
>such as by individual IP or MAC address?

The AVM Fritzbox can of course do this. It even has sensible default:
Outgoing accepts everything, incoming blocks everything.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

[Marc Haber]

Marco Moock <mo...@posteo.de> wrote:
>If you want a secure network, make sure not network services are
>running you don't want.

Devices that allow you to control that are seldomly found. Not even
Windows gives this kind of control. Smart TVs, Gaming Consoles etc
don't either.

>Additionally, you can use a normal hardware firewall that is fully
>configurable.

Name one consumer grade "hardware" firewall, please. I bet it does
things in software still.

[Mike Scott]

On 09/02/2022 09:01, Marco Moock wrote:
......

>
> If you want a secure network, make sure not network services are
> running you don't want.

Not a useful comment. I run various services for LAN use that I'd not
want exposed to the world. You can't just turn off nfs, ssh, ntp, etc;
while some LAN devices like cameras and TV etc can be safely assumed to
be unchangeably insecure.

MH's comment re fritzbox is useful to know (thank you!): I've been wary
about dipping a toe into IPV6 precisely because of the risk of service
exposure. The fritzbox (I have an ISP-supplied one) seems quite a handy
gizmo, albeit poorly documented in places.

> Additionally, you can use a normal hardware firewall that is fully
> configurable.
>

--
Mike Scott
Harlow, England

[Marco Moock]

Am Mittwoch, 09. Februar 2022, um 15:17:06 Uhr schrieb Mike Scott:

> Not a useful comment. I run various services for LAN use that I'd not
> want exposed to the world. You can't just turn off nfs, ssh, ntp,
> etc; while some LAN devices like cameras and TV etc can be safely
> assumed to be unchangeably insecure.

If they don't support ACLs where I can restrict the access to my subnet
I let them only listen on an IPv6 ULA prefix that isn't being routed in
the internet.

> MH's comment re fritzbox is useful to know (thank you!): I've been
> wary about dipping a toe into IPV6 precisely because of the risk of
> service exposure. The fritzbox (I have an ISP-supplied one) seems
> quite a handy gizmo, albeit poorly documented in places.

Also IPv6 with EUI64 or privacy extension addresses isn't that easy to
guess, so the attacker first need to find out the address of the device
and with a /64 net that is quite a lengthy task.

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Mike Mocha wrote:
>
> I noticed something interesting the other day. If you are a typical home
> user with cable or DSL Internet service, and your provider gives you
> native IPv6 addresses and you desire to firewall the devices on your home
> network; since IPv6 is not using NAT, every device behind your router
> gets a unique IP address, so you basically have to either close down all
> IPv6 ports at the main router, OR open all IPv6 ports at the router, and
> then run a software firewall on each device on the network! This is not
> practical or possible on many devices (gaming consoles, smart phones, IoT
> devices, etc).

Proper IPv4 and IPv6 firewalls look nearly identical (IPv6 addresses are
just longer). Only real difference is that because you have to to NAT
with IPv4 in addition to the firewall rules, most routers have a
"simplified" user interface (usually "port forwarding" or something to
that effect). Depending on make/model, you may or may not be able to
set individual NAT/Firewall rules.

In either event, the "IPv4 Port Forwarding" UI does two things:

1. Set up a new DNAT rule for destination (WAN_IP, Wan Port) gets
translated to (LAN_IP[,LAN_PORT])
2. Set up a new firewall rule for destination (LAN_IP[,LAN_PORT])
ACCEPT


An IPv6 firewall rule merely needs to be setup for
"prefix::abcd:1234,PORT" ACCEPT.

In either event, both firewall inbound chains will (should) look
something like this:

firewall_inbound {
rule 1 - accept established / related traffic
rule 2 - drop invalid packets
rules {3-N} - custom rules ("accept port 80/443 to webserver IP")
rule 10000 - drop everything else }



-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmID8gcACgkQbWVw5Uzn
KGC+aQ/+OnsArTblZOieNr4KPL+W5h2aDDimZtIbb90uEeEUgTPDkvRJi27XXtOX
O9DERnF/6dvNGEQQLRm+lcPWx2VzwBNiWwlVuEy6hl4y0ByRSDmPOL9F8IDOBmnq
oZeBsr1XyG/5W5Yck74D1DpOCpNl6DDuelHH3CCTzU/+jA1wtrddRsjmJsaXbidZ
6KodjUeYgw92ZN9zL3Nfva2pQMsVuIxuWeDnsUxDa+GTX7Cr2L4cmmK4elQB9zMc
YpIoDfgt6UgExRq9NwhxMNGtxwhYXtmk4pqaJnEFlzoLkiKieBLi/3KCT7BWpAA2
dTmMAl6Fp1z0F+QJjqL12yI+ovvcYp/445dAeawJJ029wIfReWg6NYBsezyiqThH
Eo/3Sve9Gp4jdQ2+Jytz/LKJl7SogrPJlcoMRO1sH6tR3PRynCmPA5n1KuyzSwjh
QSjzd4SWIkpd7G02KF4KaYVZFQNdPeQSUppZfPTnAZ0WdufPF5cIervaChwkgkBq
d/MdNen2qTh6JcYtX9nWS1THgM7SBBdBVKes2XLyMs55QbZEyKGacObmnS9POVWS
SB6xN1h1ryV2Py3n2q5VBpvjAlzKU33KBJXuxixtZ7XD6JISzNOQ/BU24CDyesuO
ymusm8TeKSEZsRvpwYhGmemPb4+tZM2muaXgzb2p4rlsc/rfVeM=
=oOCF
-----END PGP SIGNATURE-----

--
|_|O|_| Github: https://github.com/dpurgert
|_|_|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860
|O|O|O|

[Grant Taylor]

Somebody's got to say it, so it might as well be me.

On 2/9/22 1:16 AM, Mike Mocha wrote:
> since IPv6 is not using NAT

IPv6 NAT works perfectly fine.



--
Grant. . . .
unix || die

[Roger Blake]

On 2022-02-09, Mike Mocha <mo...@mailexcite.com> wrote:
> I noticed something interesting the other day. If you are a typical home
> user with cable or DSL Internet service, and your provider gives you
> native IPv6 addresses and you desire to firewall the devices on your home
> network; since IPv6 is not using NAT, every device behind your router
> gets a unique IP address, so you basically have to either close down all
> IPv6 ports at the main router, OR open all IPv6 ports at the router, and
> then run a software firewall on each device on the network! This is not
> practical or possible on many devices (gaming consoles, smart phones, IoT
> devices, etc).

I have no need for IPV6 and have it disabled on my home network. My own
router behind the ISP's gateway runs DD-WRT and has IPV6 turned off. All
of my computers and any other networked devices where it's configurable
have IPV6 disabled.

--
------------------------------------------------------------------------------
18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
The fraud of "Climate Change" -- https://RealClimateScience.com
There is no "climate crisis" -- https://climatedepot.com
Don't talk to cops! -- https://DontTalkToCops.com
------------------------------------------------------------------------------

[Marco Moock]

Am Mittwoch, 09. Februar 2022, um 17:57:06 Uhr schrieb Grant Taylor:

> Somebody's got to say it, so it might as well be me.
>
> On 2/9/22 1:16 AM, Mike Mocha wrote:
> > since IPv6 is not using NAT
>
> IPv6 NAT works perfectly fine.

But it is not recommended to use it. It creates additional latency and
stateful NAT is a relict from IPv4. If you want the "security" feature
of NAT, use an SPI firewall.

[Marco Moock]

Am Donnerstag, 10. Februar 2022, um 04:08:02 Uhr schrieb Roger Blake:

> On 2022-02-09, Mike Mocha <mo...@mailexcite.com> wrote:
> > I noticed something interesting the other day. If you are a
> > typical home user with cable or DSL Internet service, and your
> > provider gives you native IPv6 addresses and you desire to firewall
> > the devices on your home network; since IPv6 is not using NAT,
> > every device behind your router gets a unique IP address, so you
> > basically have to either close down all IPv6 ports at the main
> > router, OR open all IPv6 ports at the router, and then run a
> > software firewall on each device on the network! This is not
> > practical or possible on many devices (gaming consoles, smart
> > phones, IoT devices, etc).
>
> I have no need for IPV6 and have it disabled on my home network. My
> own router behind the ISP's gateway runs DD-WRT and has IPV6 turned
> off. All of my computers and any other networked devices where it's
> configurable have IPV6 disabled.

You will need that in future because IPv4 has too less addresses. NAT
is very annoying and many home user ISPs don't provide public IPv4
addresses to their customers anymore. They can only use IPv6 to operate
a server. Now IPv4 creates additional costs and need resources. I
really like to get rid of IPv4 as soon as possible.

[Marc Haber]

Grant Taylor <gta...@tnetconsulting.net> wrote:
>Somebody's got to say it, so it might as well be me.
>
>On 2/9/22 1:16 AM, Mike Mocha wrote:
>> since IPv6 is not using NAT
>
>IPv6 NAT works perfectly fine.

But you don't need to use it, as long as the network is sane.

[Marc Haber]

Roger Blake <rogb...@iname.invalid> wrote:
>I have no need for IPV6 and have it disabled on my home network. My own
>router behind the ISP's gateway runs DD-WRT and has IPV6 turned off. All
>of my computers and any other networked devices where it's configurable
>have IPV6 disabled.

And you're soooooo proud of that, aren't you?

[Grant Taylor]

On 2/10/22 12:30 AM, Marco Moock wrote:
> You will need that in future because IPv4 has too less addresses.

Probably. But maybe not.

> NAT is very annoying and many home user ISPs don't provide public
> IPv4 addresses to their customers anymore.

NAT is annoying to /some/. Many if not most of the home users don't
even realize that their router doesn't have a globally routed IP. Most
of those aren't aware that their workstation quite likely doesn't have a
globally routed IP.

NAT, despite it's various cons, is simple and reliable enough that it's
the defacto way that the vast majority of the world accesses the Internet.

> They can only use IPv6 to operate a server. Now IPv4 creates additional
> costs and need resources. I really like to get rid of IPv4 as soon
> as possible.

I too would like to see more wide spread adoption and embrace of IPv6.
But we've been transitioning from IPv4 to IPv6 for (at least) the /last/
20 years and I bet we will still be transitioning from IPv4 to IPv6 for
(at least) the /next/ 20 years.

We are far from access parity between IPv4 and IPv6. We haven't even
approached the midpoint, much less started the decades long process for
IPv6 to surpass and out mode IPv4.

I've been advocating for IPv6 for a decade, and do so weekly. But I'm a
pragmatist that realizes that IPv4 is going to be around for the rest of
my career. So, for better or worse -- my money's on worse -- we have
been, are, and will be in a dual protocol network.

[Grant Taylor]

On 2/10/22 12:27 AM, Marco Moock wrote:
> But it is not recommended to use it.

Agreed.

Though a recommendation against something doesn't mean that doesn't
exist. If anything, the recommendation against something is supporting
that it does exist. }:-)

> It creates additional latency

True.

Though many things create additional latency.

> stateful NAT is a relict from IPv4.

I could argue that TCP is even more of a relic from IPv4.

> If you want the "security" feature of NAT, use an SPI firewall.

NAT can be multiple things. Some of them provide zero security.

A Stateful Packet Inspection firewall is independent of NAT. SPI /does/
provide security.

[Grant Taylor]

On 2/10/22 2:08 AM, Marc Haber wrote:
> But you don't need to use it, as long as the network is sane.

Let's agree to disagree without getting into minutia.

Remember, port forwarding -- which is a thing in IPv6 -- is at it's
roots NAT. There are definitely uses for port forwarding in IPv6.

[Marco Moock]

Am Donnerstag, 10. Februar 2022, um 10:56:07 Uhr schrieb Grant Taylor:

> NAT is annoying to /some/. Many if not most of the home users don't
> even realize that their router doesn't have a globally routed IP.
> Most of those aren't aware that their workstation quite likely
> doesn't have a globally routed IP.
>
> NAT, despite it's various cons, is simple and reliable enough that
> it's the defacto way that the vast majority of the world accesses the
> Internet.

True, but it destroys the way internet is designed. You can't run your
own servers at home. This will just support big tech companies and
destroy the original concept of the internet.

[Grant Taylor]

On 2/10/22 11:49 AM, Marco Moock wrote:
> True, but it destroys the way internet is designed. You can't run
> your own servers at home. This will just support big tech companies
> and destroy the original concept of the internet.

Most people are satisfied with "access to" the Internet. Others want to
"be on" the Internet.

(Nested) NAT is usually sufficient for the former category.

NAT is problematic for the latter category, especially nested NAT.

I'm going to say that there is probably an 80/20 split (if not more like
90/10 or even 95/5) for "access to" vs "be on" the Internet.

There are multiple ways to fulfill "access to". Not all of them use
NAT. Not all of them even require (any version of) IP. Application
layer proxies that use something other than IP between the client and
the proxy are very interesting.

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:
> NAT can be multiple things. Some of them provide zero security.

I'd argue no implementations of NAT (by themselves) provide any
security.


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFZEMACgkQbWVw5Uzn
KGCi/w/+LpseReJA1MVa6Zszb5FuIZj34arTNrWeCIppUFv9gA5ku3u4EDKIVGS5
seB1o9NwqV1PlHI3TKeqCMaiwg3nJDwnsMYfpwbStjSSgebAAPJW9Iqna6Xl4ZHW
mSd/7hcT8W8uedrtcIR7067xZZwTMI5s0h+gn2Z68G75a661CyAWf57WzELXF9Hx
UD+kzCmdooXZqJs3gD2A8KnqqPlPuVWUfiiS01Cpa4TkzSEb4lL8SFBLi8q2NKTj
iiKNPfG8OqEQMLn3de5QSTpOYDWHvN/sUFww4XmWxF2TNe8K842larfNK2NO9vxt
6WFztb+1suqsexepvhdbpItUiEPGfxTfW3oKPxV8pjzyLkdIwC36tFlJ8GrwCmmr
iBccIodZbb1nHOQjKwXjmBrHA19s/bvRjg4kLkv22kBiHEEhT/6lgQC+hZoVvU77
rt6oc7TGSB+1rGasc7WZQhrV4DuKBC/gMDIWKxMpWX4yJyOasD2ZI7P/nKj38FEL
rM8Xqchy/FdWfnSZRgkZo2MoIrvPg515ynoP0UvECNEeEgF5SfWVS21X3O8API72
T9j17Fr2eADcNoIhgYJwnM/ThrImW79e2Hjv/EWY8rHMx5OUPGwbeB0t1TQxAieJ
8Sgrd/b6FUo7ze47+SW9198/f9PJs+RDdS4f1uRHK5/G8MgEggQ=
=VlUI

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:

> Remember, port forwarding -- which is a thing in IPv6 -- is at it's
> roots NAT. There are definitely uses for port forwarding in IPv6.

Although you need neither port-forwarding nor NAT on v6...


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFZJEACgkQbWVw5Uzn
KGA8BhAAhvn+i4wCFJYSUUcL3N+xW7WGGpFP0+ve3OGIjK84zg+JIXg8Oz9KnBgh
hvt+9crO/AjXNOfHBZtR9DYmjYMv3PO+LADRojX6u1kcqco61XTuBsamATswbnCq
VIzu4aoX4rtWKHN0b2SuTzZnHUCvsQHWfCoHJIW3hzX6jItmAApyVjPvt3WSdG+1
AGPja425+3LDhpDYeUsw591jjXMSmvFaxHJdPlBrymc5oLRlQfPNsJEbz4hx7x27
lW1EhQ1QmY38312NfpjyF0fI6NogC8EiVZwrWVjb5ClMstyZN7uZTo7qZ3OG/TTI
Sq3Af/NxMwLVAOEPijbcPX4G9cHYDdcekhneQxBstJxM13qBho1+Vcc4t9wB2gwj
J2muZKdaOvlNx1Sl0437QL7L0vU57oFt1Vrctzhcs63ckY7haZQvy9aT9IGV99W3
Vo95UA1GudmJtNsFDe5GcE/k91WIgGhGz0P1bm+q/w3r9ynv/NpOej4sU2YsqOaR
/4/S4j5ibUTyh2Xqkcy6ZDzvzqTO8rwrMKgTwHGiVkC2xCQwzjNuIaXP9lQKYxgw
Qn7KByJgd8E/8JzZjnOK24LVaziSO2TkcPdcVpgnSCnAEVgqrXIi0norm+jibblU
S469k/79rAgGQZ9NUTFDcDoPOFRbMcmdF4q4jlFeqVNiGvrclN4=
=5ndj

[Marco Moock]

Am Donnerstag, 10. Februar 2022, um 19:14:32 Uhr schrieb Dan Purgert:

> I'd argue no implementations of NAT (by themselves) provide any
> security.

stateful NAT (regardless if NAT44/NAT64) provides implicit seceurity.
It is like an SPI firewall, without a static NAT rule (port forwarding)
you can't access the devices behind the NAT.

[Grant Taylor]

On 2/10/22 12:15 PM, Dan Purgert wrote:
> Although you need neither port-forwarding nor NAT on v6...

Maybe. Maybe not.

It depends on the network topology and other layers of the stack,
including layers 8 (politics) and 9 (money) influence this.

[Grant Taylor]

On 2/10/22 12:14 PM, Dan Purgert wrote:
> I'd argue no implementations of NAT (by themselves) provide any
> security.

This gets into theological discussions / debates about what NAT is and
is not.

I see no way that Stateless NAT /by/ /itself/ can provide security.
(Save for potentially only applying to specific source & destination IP
pairs. I know you know what I mean here.)

I think that Stateful NAT that dynamically maps between internal and
external IP(s) & port(s) probably provides some inherent security in the
fact that incoming connections will fail if there isn't associated NAT
state data to support the connection.

I'd enjoy such a theological discussion / debate. But I think it's very
much it's own independent topic.

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The "Stateful" part of "Stateful NAT" is the firewall sitting
immediately behind DNAT, checking to see if packets have valid states.

No firewall = no security.

"Port forwarding" (as implemented in most,if not all routers) is just a
"quick and dirty NAT+Firewall rule" shortcut...


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFdMoACgkQbWVw5Uzn
KGAGtg/+KmtDl26JA9KCT+Qr4E1vm94JF/IesB4vq2KKXd1aWIwnKKAwWDe3ftBv
ahS180/S/WmRjYzM1WHVP94PLy0k2lC1V+JFnq7NEBKca5qtSXyC2lSGm/1CwhWV
UfXP430ZSfFMjsbzU77rL034w63AP4aYkurFmL2FLYTrS9liqcw1aRvelrEGWz/i
LB0IAI4LvSDFDept8etrkj3KO0/+HZ43MkO4drcFrFKYyLkBXRhWMbKCkjZIEpsY
9/QD4pIZAbBvCfqrQttc/ST4Ya+gLQCqBZy0kR0DG1pXQZGwRhCIBl2j4hJN0t3q
bopgcF8ZJNkrKsUEYj3S4UHXW95r3UP7oxvSjOW5/kpWoBiAjwE6wg95YnsKR1TH
HRoxn16xVCQB19z78gCWTwt5Pq79JbzUC3Bt1d/B31kysQFBLZ5BTSEopYdS59Sh
mRzChnPU48h6X5FgId5bL0VfYeoGIOAHyzz6RQGRbRMBDCGDffdXdFKPQeMnQwBC
xWSoS4IgvgoyBiJabpCCoE73AVg1gHCUl8/VbbkseG5uypLnAHauoX4FfrDgmy8G
QPDPcATCb6A6Vyhf3pEeMlLjBLoMVMC77B6JhPyUdteF9H3gpurZSJVESoGmEW11
y7LI7X+2+aXKT72s3SsFmkWVdH0NJE+NO3m5NnlLZ/mH+mXq/BI=
=duJD

[Marco Moock]

Am Donnerstag, 10. Februar 2022, um 12:44:56 Uhr schrieb Grant Taylor:

> On 2/10/22 12:15 PM, Dan Purgert wrote:
> > Although you need neither port-forwarding nor NAT on v6...
>
> Maybe. Maybe not.
>
> It depends on the network topology and other layers of the stack,
> including layers 8 (politics) and 9 (money) influence this.

If you like to have more work (NAT is annoying if using DNS names
inside and outside of the NAT net), then you can set up NAT for IPv6.
I like the easy way that means no NAT at all whenever possible.

Network is one of the things that last very long, so I don't like nasty
stuff like NAT there.

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:

> On 2/10/22 12:15 PM, Dan Purgert wrote:
>> Although you need neither port-forwarding nor NAT on v6...
>
> Maybe. Maybe not.
>
> It depends on the network topology and other layers of the stack,
> including layers 8 (politics) and 9 (money) influence this.

To rephrase slightly --

The sheer number of available addresses is such that NAT is not an
inherent requirement of setting up a new IPv6 network that is intended
to communicate with the wider internet.

This is in contrast to an IPv4 network, wherein the vast majority of
devices will be configured for an address contained within RFC1918
space, and will therefore require NAT to communicate to the wider
internet.



-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFeQQACgkQbWVw5Uzn
KGCtpg/+Ndka5Mbyz3dyOLbJTtBp8ix5uFa6VURP1hU14B4yJY1ke1cdd2q8wHnE
I6qvXekTaM4vixQ7r/jiDOR5LOAQHVDKGaXFNoEJbLq+KVN0hI6OKkVjEKdVjngq
bgrjF67Unaj+C26+Nmu/jw7LbVj/muz+aLeqVS9EB/anhDE+vfbVmCzUazpXi+or
SdXF3kmLAiOtc2FHLNcFarJe+hLZ7aN86MzI4k0e5WnJKzHPIKu6g6Al2mL9B/8z
IW3b2DJQVjWNmud0+R7hSkIKbPo5FdN3fcrKc5ZGYyrROGNbfUeS29MovvLFuDpF
WxAAEPScmyGOC2drTiY+5VhHpMCMmBvpXASzVtIuzbGx6rfKRNaG9ihDFcIEt36a
6xxCB97GQMz9P0luD+m7oKkoQIZyGtefPgVkgSmMZSP+I/zfwqItfB93KVdo6KDt
Ucd3TiY+gbb/27068rI78oWn5Yc1x3X5eWNsObQfWe/GzG8ake5J7kVbZ7nwf1wQ
yGMSIGYzUurRVAVRfK+rLsRyg6Vqyl5SYuShr1XtULCo26b7b+DVNLimvgCKfQeA
PbezGqYnOvKxSvD5wIZb5YsOlbRYm8x0GTpnakZGz923eZbjTtR1MX6r4oK5mLiL
6g6eHEBKE7WlUX+lInLUkcZJT0Tsl7GrpuM7IrVjRWbs26iH+iY=
=GC+X

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:

> On 2/10/22 12:14 PM, Dan Purgert wrote:
>> I'd argue no implementations of NAT (by themselves) provide any
>> security.

> [...]

> I think that Stateful NAT that dynamically maps between internal and
> external IP(s) & port(s) probably provides some inherent security in the
> fact that incoming connections will fail if there isn't associated NAT
> state data to support the connection.

I must have a wire crossed somewhere, as I'm fairly certain that it's
more the firewall behind things that keeps unwanted traffic from making
a mess of things, even with conntrack in the mix.



-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFel8ACgkQbWVw5Uzn
KGD/Aw/9GMg6ApPtYYO0VMWYjSRQaKVwLNs5P40FV038yjEyJcDaXHCov/OKlrus
EmneBV5Y0vIXDdk5HNIOe7U9P3SLZUWt7GoOmG4tcsnftF2+c9+qro8hedNQk8Kw
5x6KpHhoPxT3MyxNtohr5tufrl4ao1yQQ1UL2BCekml3bktIQY7/wI97YAJGTlWn
3BzW6OfDphNEbJstWs6hpKr236d/iAaGe3PGW5FR4CGWo4wd3pPnvADl43ZwS9xW
cMGf18BewZrXu5RIiu7gBjz+2bd8ZjBmi1fd/xlY7wIpmdhH0Nd6LM+MK/ipdrAC
4/ef6GZGC3sBvyuU6Xpu5/8CfE7VYq4i96PtUc6HyYm+/d8wHHi564q9Fi5sm3/W
+X2wgL0diTMP0jYlDBbjzTAhei5Uf5tKhjoOuDseZKF2fE+pKuHp9I9qxZR9KCRF
04lS0GnHK6aWdZeG9feg1T3yuivdTj6q+VExlOU8ZjndGTOzdrRy4JosBSOINvLN
95HlsqCC1xe5LiAw6IQBcK+A8K0MFLaDBvwtKcrWW3nbXUWzHNf+IvGn5YKDUoiQ
oJe3MslHmhupxxFN463gmNNEUK7J/81969rNdyY55VD1wsHOHtafsML3exOnwlRy
adLiV+WD02x1gXNJKm/tIoV3Mi0TWbLiUW4XiMr5j8Sx9vOmXUk=
=QQEN

[Grant Taylor]

On 2/10/22 1:34 PM, Marco Moock wrote:
> If you like to have more work (NAT is annoying if using DNS names
> inside and outside of the NAT net), then you can set up NAT for IPv6.

I don't agree that NAT for IPv6 is itself, nor causes, more work. But
we've likely had different use cases.

> I like the easy way that means no NAT at all whenever possible.
>
> Network is one of the things that last very long, so I don't like
> nasty stuff like NAT there.

Fair enough. To each their own.

I personally think that NAT can be ~> is a useful tool. However, the
tool MUST be used appropriately. Any and all tools can be abused in
ways that make life more difficult.

[Grant Taylor]

On 2/10/22 1:43 PM, Dan Purgert wrote:
> To rephrase slightly --

;-)

Clarifying points are a good thing for discussions. :-D

> The sheer number of available addresses is such that NAT is not an
> inherent requirement of setting up a new IPv6 network that is intended
> to communicate with the wider internet.

I absolutely agree.

I have considerably more uses for NAT than /just/ the number of globally
routed IP addresses I have at my disposal.

> This is in contrast to an IPv4 network, wherein the vast majority of
> devices will be configured for an address contained within RFC1918
> space, and will therefore require NAT to communicate to the wider
> internet.

/me chuckles menacingly to himself. RFC 1918. There are a LOT of other
non-globally routed addresses that can be used. Then there are the
globally routed IP addresses that can be stomped on. }:-)

[Vincent Coen]

<2022020...@news.eternal-september.org> <20220210083002.2871a659@ryz>
<su3jjb$em0$1...@tncsrv09.home.tnetconsulting.net>
Hello Grant!

Thursday February 10 2022 17:56, Grant Taylor wrote to All:

> On 2/10/22 12:30 AM, Marco Moock wrote:
>> You will need that in future because IPv4 has too less addresses.

...

> /last/ 20 years and I bet we will still be transitioning from IPv4 to
> IPv6 for (at least) the /next/ 20 years.

> We are far from access parity between IPv4 and IPv6. We haven't even
> approached the midpoint, much less started the decades long process
> for IPv6 to surpass and out mode IPv4.

> I've been advocating for IPv6 for a decade, and do so weekly. But I'm
> a pragmatist that realizes that IPv4 is going to be around for the
> rest of my career. So, for better or worse -- my money's on worse --
> we have been, are, and will be in a dual protocol network.

You have to be using a ISP that has it implemented and my last two do not.

Plusnet
Virgin Media


Vincent

[Grant Taylor]

On 2/10/22 1:25 PM, Dan Purgert wrote:
> The "Stateful" part of "Stateful NAT" is the firewall sitting
> immediately behind DNAT, checking to see if packets have valid states.
>
> No firewall = no security.

I disagree.

To me, Stateful Packet Inspection and NAT State are two different
things. Especially considering that iptables uses two different
configurations for SPI and NAT.

Admittedly, the two features may share quite similar dependencies.

When I think of Stateful NAT / Masquerading in Linux, I think of a
connection table that is populated as packets egress through the router.
Said entries contain (at least) the incoming source & destination IP &
port pair and the outgoing source & destination IP & port pair. Wherein
one or more of the source / destination IP and / or port is modified.

So when 192.0.2.3/24 sends a connection to 203.0.113.234, the following
entry is created as the packet is NATed on it's way out.

1) Client sends and router receives: 192.0.2.3:45678 / 203.0.113.234

2) Router creates the following NAT state entry.

IS 192.0.2.3:45678
ID 203.0.113.234:443
OS 198.51.100.200:12345
OD 203.0.113.234:443

{Inside,Outside}{Source,Destination}

3) Router translates the packet and routes it - sends:
198.51.100.200:12345 / 203.0.113.234:443

4) Server receives 198.51.100.200:12345 / 203.0.113.234:443.
5) Server does it's thing.
6) Server sends 203.0.113.234:443 / 198.51.100.200:12345
7) Router receives 203.0.113.234:443 / 198.51.100.200:12345
8) Router finds a matching NAT state entry.
9) Router translates the packet and routes it - sends:
203.0.113.234:443 / 192.0.2.3:45678
A) Client receives 203.0.113.234:443 / 192.0.2.3:45678

Any traffic coming into 198.51.100.200 that doesn't have an associated
NAT state entry is simply routed to processes running on the router's
local TCP/IP stack.

As such, the lack of NAT state entries means that the packet goes to the
router, where the port is likely closed. Thus the connection inherently
stops because there is no place for it to go.

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

or

iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source
198.51.100.200

No additional rule(s) are needed to allow NATed traffic to flow.
(Presuming that there aren't other rules prohibiting it.)

Conversely, Stateful Packet Inspection tracks the state of connections
and /explicitly/ takes action based on the connection state.

SPI uses similar connection state information, but for a different
purpose. It is also interfaced with a different way.

iptables -t filter -A INPUT -i ppp0 -m state --state ESTABLISHED -j
ACCEPT

SPI will depend on other rule(s) or built in chain default policy to
block traffic.

Both NAT / Masquerade and SPI work equally well with any combination of
non-globally routed and globally routed IPs.

But, importantly, pure NAT / Masquerade will function without any other
firewall rules / configuration while blocking connections that aren't in
the NAT state table.

Does NAT behave similarly to SPI? Yes. Is NAT dependent on SPI? No.

There was a time -- back in early 2.4 kernels -- when you could have NAT
/ Masquerade support in the kernel without SPI support in the kernel.
Or vice versa, SPI support in the kernel without NAT / Masquerade
support in the kernel.

NAT / Masquerade and SPI are really two completely different things in
the Linux kernel.

> "Port forwarding" (as implemented in most,if not all routers) is just a
> "quick and dirty NAT+Firewall rule" shortcut...

Now we delve into what is "port forwarding".

On one level, "port forwarding" is simply a (Destination) NAT rule.
There is no inherent /requirement/ for any other rules to do DNAT.
However, there are /usually/ other firewall rules that would match and
block the DNATed traffic. As such, there needs to be a rule to allow
the DNATed traffic through the firewall (nominally the FORWARD chain in
the filter table).

It's entirely possible to DNAT traffic as it passes through a router
wherein the firewall wouldn't block it. E.g. you allow traffic form the
world (0/0) to your DMZ hosts (198.51.100.0/24). You implement a DNAT
rule to alter traffic to your old web server's IP address to go to the
new web server's IP address.

# iptables -t nat -A PREROUTING -d 192.51.100.200 -j DNAT
--to-destination 192.51.100.100

Finally, NATing / Masquerading really translate source and / or
destination IP and or port /before/ the Linux kernel uses traditional
/routing/ to handle the packet. Hence why you do DNATing in the
nat:PREROUTING chain and SNATing in the nat:POSTROUTING chain.

[Grant Taylor]

On 2/10/22 1:48 PM, Dan Purgert wrote:
> I must have a wire crossed somewhere, as I'm fairly certain that
> it's more the firewall behind things that keeps unwanted traffic from
> making a mess of things, even with conntrack in the mix.

Nope.

See the my reply to your other comment for a much more detailed explanation.

[Grant Taylor]

On 2/10/22 2:33 PM, Vincent Coen wrote:
> You have to be using a ISP that has it implemented and my last two do not.

Having (native) IPv6 from an ISP is really helpful. But it's not
strictly /required/.

My current ISP doesn't support IPv6. Yet I use IPv6 every single day.

You can do what I do and get an IPv6 in IPv4 tunnel from someone like
Hurricane Electric.

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:

> On 2/10/22 1:43 PM, Dan Purgert wrote:

>> [...]

>> This is in contrast to an IPv4 network, wherein the vast majority of
>> devices will be configured for an address contained within RFC1918
>> space, and will therefore require NAT to communicate to the wider
>> internet.
>
> /me chuckles menacingly to himself. RFC 1918. There are a LOT of other
> non-globally routed addresses that can be used. Then there are the
> globally routed IP addresses that can be stomped on. }:-)

Sure, but you understand the point I'm making with the ipv4 'private'
networks here.


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFicQACgkQbWVw5Uzn
KGBuGRAAhvOUbDu2+TXKQahR7AApClfbrSMO8+OKqZf7utlR7us6tMRWVnSkWjMs
EYP62Jz6KeLfLvyHFm921V5CEyAwhZhlbszUp3MgdByM5x5EMUBDaOCd2oYMykd6
rr8gvPo+AByE6t95VMgHzKWbVOjxfOVT/IibyQhS9TRcd3G2SSeVH1zFKTnbxJw4
kCrfRQI3UmLmD4B/V0pFD4xT4k6Rcy45YjvBD3G/pO78SBzUAzdcVDFDpmYFmdzs
B6kTg3mdLkOZoADRXB5EBZkI6t1NwNxTscHz+ULRIQS1onO2yG7QUSMkMYKGU9ZQ
0bIuWB2H8BFceSvdn7iKJtEwrEN6RAZcZuYDRiOrnWucew5Wm8yHuTCgd5HIg5X/
GDtJy4jZhcNx1c0xuGtjvCrEcWIUNIoys3UDT9eIVeJ8nNiregmIsVYXLpDrNxfa
/iLZGN/yMrbZVNfZotdpSJD15BhegtAXTeq2CSPlrThuoc30hH7NfFR2zI3uFlah
4xJzI5c1NVgtO/hbPBuqfpTgZFL9ISiOes/PDc/M9wtISwX/yEqMWkowJwgsDv3I
UPDeZIm7AbRWibp3yJSXBnobZ4Xu/JGczd5dZgV390hZ4GY+ZlASIkXvKkkgJujt
I2QAS/D6VEHtPn8xNrKoTbZUIWuNapqNtS2O6HWDw8PwC39GupM=
=Hg+s

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Grant Taylor wrote:
> On 2/10/22 1:25 PM, Dan Purgert wrote:
>> The "Stateful" part of "Stateful NAT" is the firewall sitting
>> immediately behind DNAT, checking to see if packets have valid states.
>>
>> No firewall = no security.
>
> I disagree.
>
> To me, Stateful Packet Inspection and NAT State are two different
> things. Especially considering that iptables uses two different

> configurations for SPI and NAT. [...]

Yes, but an unsolicited packet that doesn't trigger NAT rules can (and
in many cases will) still be forwarded by the router. Granted, this
isn't likely to happen across the internet[1]; but say between two local
subnets that one is subject to NAT before going upstream (e.g. that
dirty hack I've had to do on occasion because some vendor-supplied
appliance will only ever work as 10.1.1.2, and oh no, you can't change
its IP, what do you mean you'd ever not use 10.1.1.0/8 on your office
LAN ... or ever want to use TWO of these in the same facility?!)

I think it's more a case of we're looking at the same coin from two
different sides (and I wholly agree with the direction you presented in
the bits I snipped).

[1] I'm only refraining from saying it's impossible across the internet,
lest someone come back with contrary examples ;)

>> "Port forwarding" (as implemented in most,if not all routers) is just a
>> "quick and dirty NAT+Firewall rule" shortcut...
>

> Now we delve into what is "port forwarding". [...]

Maybe the conversation diverged somewhere, and I hadn't noticed -- I was
under the impression that the phrase "port forwarding" was being used
strictly in the context of general consumer "whole-home-gateway" devices
(either supplied by one's ISP or picked up from AMZN/BestBuy/etc); so
literally the "simplistic" interface that consumers are expecting to

(1) Insert any necessary DNAT (and potentially PAT) rule AND
(2) Insert the corresponding firewall rule in int INPUT chain

Rather than the general sense of the phrase you are presenting in the
bit I snipped out.


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIFkK4ACgkQbWVw5Uzn
KGDJAQ/+IcEfIhMzNmg4Ry6nVrOdo9YgV/1Xwf46WMVgznZCM5h/SDXwZ/WJzWGc
Y8qZAcPdE/yUsM5wSFXo2xWax2/j6lHZ5L1GRzh4WZy8hYkDh+e1XWcmBnX63184
PecfWae2oC6A0hM9QBF7s1ztMJXlXXfIe/SjCaCOr9iQ7nMehWfbtQFYgTGEFJMz
VDRHVusWL3SqiYO0yJ8u6clb6FthWwoMnhN92hub8XdpA4KBAUYtybesJwVWMNAc
AHp0k+Xr4CnqsvzVXb3SHpLsC6CV6ZW5oxpqVmgQ/mIyWiGPA3tIyOxxjDZyq8U0
RMywFkKwgy7QSYZNSqd92a74ilBxjfIgTok28S2xL+P9LFtIabmUTwCJK8E2e+qj
isoYH0G/OVyxkmRelx8K8Op3v6wv7QbKEiQgcWEEorQS6kw/czu8lKv2qvQooX8e
mcCxFkbmzbwxSgML77ja5KMTYcBYbo8VMl676n2bL/7wlZl6KrLiPJhquW3HOh6Y
25VknpxQFKMEnqG73DrVHaXwxRsypfRYjl2H7zpJIgNSQB3cmGWcwNPH0kAcAeSR
VHhbISX9GveSuRU1Pk0cu6SBCldZFkWRF7U81kG+F5u+Mnl+N9USkYQbx1kNVJXi
DT0+IzC+uDtYyYxq8mCJ7LZB9qRu0hvb9dVlO0FQwLD+EjJ0cTA=
=9HsS

[Vincent Coen]

Hello Grant!

Dumb nut question 1 - So what does it do for a system that only has a ipv4
address from the isp ?

Reason for asking is I run a BBS and some of my downlinks have a v6 address
along with a v4 and when the v4 cannot connect my system has a quick look
at v6 says protocol not supported and gives up on that poll.



Vincent

[meff]

There's a bunch of new overlay networks out there these days that can
help you "be on" the internet, as such. ZeroTier, TailScale, and
Wireguard (which underpins TailScale) are some of these overlay
networks. For a long time I used to hand out IPv6 addresses on one of
these overlays until I finally switched to an ISP with native
IPv6. I've just (personally) had it with crappy CGNAT getting in the
way of communication.

[Marco Moock]

Am Freitag, 11. Februar 2022, um 01:20:08 Uhr schrieb Vincent Coen:

> Thursday February 10 2022 21:48, Grant Taylor wrote to All:
> > like Hurricane Electric.
>
> Dumb nut question 1 - So what does it do for a system that only has a
> ipv4 address from the isp ?

It uses Protocol 41. It tunnels all the IPv6 packages via IPv4 to the
tunnel endpoint at Hurricane electric.

The IPv6 packages are simply inside of the IPv4 packages. At the tunnel
endpoint they will be extracted and are normal IPv6 packages.
I also use that service from HE, works fine.

[Marco Moock]

Am Freitag, 11. Februar 2022, um 07:28:05 Uhr schrieb Mike Mocha:

> Thanks for all the responses! Something that still is not making
> sense to me, if for example we have a home network that contains many
> different IPv6 devices connected, how do we control what ports get
> exposed on each device?

The concept of the internet (IPv4 and IPv6) is that every device has an
unique address that is reachable from any other node. NAT and all that
crap are just temporary solutions for keeping IPv4 alive. We should
switch to IPv6 ASAP.

> That is the primary question I was trying to ask. For example, on
> one of my daily use Linux machines I have many different services
> running, and as soon as I open the IPv6 firewall on my ISPs router,
> it means that all of those services are open to the world!

True.

> I don't want that!
Then don't let that services listen on your public IPv6 address. For
that purpose you can use an IPv6 ULA prefix that is not routed in the
internet.

> I can setup iptables on this box, but what about all the
> other IPv6 devices on my network?

I recommend getting rid of devices you can't control. Do you have the
control or the manufacturer?
Think about this.

> Random IoT devices, webcams, game consoles or whatever, I have no
> idea what services they are running, and I'm worried that if someone
> could get on one of those devices then they could eventually make
> their way into my Linux box.

Use nmap from other devices to check if they respond on any UDP or TCP
port. If so, switch these services off or configure them properly.

Randomly finding them with their IPv6 address is also a PITA.
Mostly you have a /64 net and they either use EUI64 with their MAC
address or privacy extensions with a randomly generated host identifier
(also 64 bits).
Randomly finding such an address is very seldom.
If you want security here run an SPI firewall and only allow traffic
from outside for specific ports (but allow ICMP all the time for Path
MTU discovery).

[meff]

On 2022-02-11, Mike Mocha <mo...@mailexcite.com> wrote:
> That is the primary question I was trying to ask. For example, on one of
> my daily use Linux machines I have many different services running, and
> as soon as I open the IPv6 firewall on my ISPs router, it means that all

> of those services are open to the world! I don't want that! I can setup

> iptables on this box, but what about all the other IPv6 devices on my

> network? Random IoT devices, webcams, game consoles or whatever, I have

> no idea what services they are running, and I'm worried that if someone
> could get on one of those devices then they could eventually make their
> way into my Linux box.

You'll want to setup a Stateful (SPI) Firewall. Here's [1] some
example steps on how from the Arch wiki, but should be pretty
generalizable to other distros.

[1]: https://wiki.archlinux.org/title/simple_stateful_firewall

[Dan Purgert]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Mike Mocha wrote:
> Thanks for all the responses! Something that still is not making sense
> to me, if for example we have a home network that contains many different
> IPv6 devices connected, how do we control what ports get exposed on each
> device?

Your edge firewall. The rule would be constructed as

1. Destination IP -> host:addr::what:ever
2. Destination Port(s) -> Port(s)

> as soon as I open the IPv6 firewall on my ISPs router, it means that all

> of those services are open to the world! I don't want that! [...]

If the screen you're using only allows "open everything", that sounds
more like a DMZ configuration panel than something for setting firewall
ACLs.



-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIGQREACgkQbWVw5Uzn
KGANCBAAoyabrtdDxMBt90HNeaZYjTPeA4rhub8/xVmPXpi355a+OEadenxUL1Ct
LXB+GJxIEcmdq8dqU7HohUED8VzARo4XTLV7HAugQhado3IxtgTGF11E8JX+ixTN
NHO9VhAYaqwvcFhaZq/zQzDFzdSCgR7Wyv73/ODBw9H/S+CqfWUOYCrNmfidSjs+
oVKSCpCU+wrIgp0yTspF9CIGXF+Ng3fY6ObnA8QmrtnNeiF6uTMki+6VOp+9nxM5
HFly2pdERjwWekU8i72WqKkpEyUCfPS9gO/Kc7BG3OvXSdLWAzbxfS1xAHrJbSaP
sP8YxmBPHxGxzu0uB0T9WIhB2t8XF00Zb2/2kOlI3jroCpPzfF0OIHdgG84PsheK
6NY6lSZrZsJJlp1djHQOldmCA/7HSBso3VVo2tWL72Ci10mulE1QGSQd2/71AQQi
ElJ5P5OWntp0dToglPEgejhGt19r/Xj0qRAfQi5OwxBZQNfZrAOKkSecKIgyRp1Q
Iuw9y/ezoXgDhjMcNSBwsJ/0WwEzebXZ+Qel4OKv3oY7FKIZUzmNRnXoBaa3kPy5
LTsJ1yg5w3s6sWqXFPvcjCweS2yJTfYJLoeg+n2jAxhEE1xfGrhdPy7Y2KbT4wSC
PKnl5mJLMd2Fnh/QrbWH8QNIk4VJNvCewl2Yu5fjXU2vzBeJG2w=
=9fck

[Marc Haber]

Grant Taylor <gta...@tnetconsulting.net> wrote:
>On 2/10/22 1:34 PM, Marco Moock wrote:
>> If you like to have more work (NAT is annoying if using DNS names
>> inside and outside of the NAT net), then you can set up NAT for IPv6.
>
>I don't agree that NAT for IPv6 is itself, nor causes, more work. But
>we've likely had different use cases.

I agree with Marco. Probably you have become so intimate with NAT and
the other crutches we need to keep v4 alive that you're dearly missing
them when they're not needed. Such people do exist.

>I personally think that NAT can be ~> is a useful tool.

For v4, yes. IPv6 was carefully crafted not to need it.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

[Marc Haber]

Grant Taylor <gta...@tnetconsulting.net> wrote:
>There are a LOT of other
>non-globally routed addresses that can be used.

Which ones, for example?

[Marco Moock]

Am Freitag, 11. Februar 2022, um 14:22:38 Uhr schrieb Marc Haber:

> Grant Taylor <gta...@tnetconsulting.net> wrote:
> >There are a LOT of other
> >non-globally routed addresses that can be used.
>
> Which ones, for example?

IPv6 ULA
IPv6 site-local (but deprecated)
IPv6 link-local (no routing at all)
IPv4 link-local (used for APIPA, no routing, 169.254.0.0/16)

All not intended for connecting to other sites, only for internal stuff.

[Grant Taylor]

On 2/11/22 6:22 AM, Marc Haber wrote:
> Probably you have become so intimate with NAT and the other crutches
> we need to keep v4 alive that you're dearly missing them when they're
> not needed.

I don't think so.

> For v4, yes. IPv6 was carefully crafted not to need it.

The thing that IPv6 has over IPv4 is the number of IP addresses. But
/utilizing/ those IP addresses brings inherent problems, not the least
of which is additional routing burden.

Consider the use case of what I call the "Customer Interface Router".

Picture any business wherein each location is locally owned while having
some loose affiliation with a corporate entity with different owners. A
very good example is car dealerships affiliated with a major brand or
service company. Wherein each individual location administers their
network with complete autonomy and corporate administers it's network
with complete autonomy. With that large topology in mind, consider the
potential, nay likely, complications with needing to establish
bi-directional communications between every single location and the
corporate entity such that systems at corporate can print to the
networked printer in the parts department. The C.I.R. functions as an
integration between each individual location and corporate.

NAT makes this trivial to do. Corproate sends traffic to the C.I.R.
which translates what's necessary for each individual site's local
network. Similarly each local site sends traffic to the C.I.R. which
translates what's necessary to interface with corporate.

Corporate doesn't have to worry about (de)conflicting subnets across
multiple sites. Local stores don't need to worry about (de)conflicting
subnets with coroprate, much less other stores. Neither corporate nor
local stores need to propagate route information for each other's networks.

Corporate sends traffic to 192.0.<site #>.<printer #> to print orders in
the aprts department. The local manager connects to 198.51.100.<server
#> to access corproate's vehicle inventory system.

The NAT on the C.I.R. acts as an abstraction alyer allowing each side to
operate with almost complete autonomy from each other. I asy almost
because nominally each side can't have the /same/ subnet. However, even
taht can be accomodated by using two C.I.R.s back to back to do double
translation.

I have written this email using IPv4 addresses because they are simpler
/ shorter to type (and more mussle memory). But the exact same concept
applies to IPv6 as it does to IPv4.

The underlying issue is only compounded if you try to add another entity
to this scenario, say an external financing company or insurance
company. Each additional entity that needs to be integrated adds
complexity to /routed/ IP addresses at an exponential rate. Conversely
NATing C.I.R.s scale linearly.

The Customer Interface Router is only one scenario. I've run into other
more exhotic scenarios wherein I needed (as in didn't have a choice) to
have the same subnet in two different locations that couldn't actually
sahre the subnet (TL;DR: D.R. environment replicating part of corporate)
where each saw the other side as different subnets so that the could
have routed communications. Linux's net-map IPTables target (prefix
translation) made this ... possible. Backups of servers from one side
could be restored on the other side without readdressing or any other
changes and they could still communicate with what they needed to
communicate with.

Aside: I'd say the IP part was trivial, but the other parts of the
stack were anything but trivial.

So ... Network Address Translation is a /valuable/ tool to have in the
tool box and it has far more uses than what most people think of. Just
because the most common use is to allow private IPv4 addresses to share
a single public IPv4 address doesn't mean that it's the /only/ use.

To directly reply to your opening comment:

> Probably you have become so intimate with NAT and the other crutches
> we need to keep v4 alive that you're dearly missing them when they're
> not needed.

Nope. NAT actually *SIGNIFICANTLY* simplifies many of the different
networks that I've helped administer over the last 20 years. The C.I.R.
is one of the simpler examples. Getting Microsoft's Active Directory
Domain Controllers to be happy thinking that each is in the same subnet
when they are not, for DR purposes, is another use case for NAT (prefix
translation). These are things that can't easily be done with actual
routed IP addresses, irrespective of if they are IPv4 or IPv6.

Aside: The reason for the DR configuration was so that there could be a
production Active Directory Domain Controller in the D.R. environment
that was always online and replicating with the production corporate
network. The D.R. side /needed/ to have the same IP addresses as the
production side so that production (member) servers could be restored
without modification and /just/ /work/. But the D.R. and production
networks couldn't be connected as a L2 environment for many reasons.
Not the least of which is that production had to be online at the same
time various D.R. tests were happening. The simplest solution was to
let each side think that it was the network it was configured for and to
lie to it about what the other side's network was. Thus each side would
send traffic to the other side's fake IP address, NAT would happen in
the middle to actually estabish the communications. It worked
wonderfuly well.

Further Aside: I challange you to explain to me how routed addresses,
IPv4 or IPv6, can work as well as NAT does in either the C.I.R. or D.R.
environment.

[Grant Taylor]

On 2/11/22 6:22 AM, Marc Haber wrote:

> Which ones, for example?

Pick any U.S. DoD prefix for starters. }:-)

Or any other entity that you know that you're not going to communicate with.

In many ways, the world is your oyster.

ProTip: IP addresses / network prefixes are /locally/ /significant/.
-- Once you truly grok anycast and how it works, you can get *REALLY*
creative.

[Grant Taylor]

On 2/11/22 6:34 AM, Marco Moock wrote:
> IPv4 link-local (used for APIPA, no routing, 169.254.0.0/16)

"You mustn’t be afraid to dream a little bigger, darling." - Inception.

https://www.youtube.com/watch?v=WcGbnX8Ay38

> All not intended for connecting to other sites, only for internal stuff.

Sadly, IPv6 site-local doesn't work for accessing the IPv6 internet,
despite IPv6 NAT /because/ clients won't choose them for globally routed
destinations.

You /can/ route IPv6 link-local if you get creative. }:-)

[Marco Moock]

Am Freitag, 11. Februar 2022, um 11:35:33 Uhr schrieb Grant Taylor:

> Sadly, IPv6 site-local doesn't work for accessing the IPv6 internet,
> despite IPv6 NAT /because/ clients won't choose them for globally
> routed destinations.

This is the right decision and was also intended for RF1918 addresses.

> You /can/ route IPv6 link-local if you get creative. }:-)

It is against the protocol to do so. You can change the software, but
then it doesn't follow the RFC's rules.

[Grant Taylor]

On 2/10/22 6:20 PM, Vincent Coen wrote:
> Dumb nut question 1 - So what does it do for a system that only has
> a ipv4 address from the isp ?

It provides IPv6 address(es) from the tunnel provider.

Think along the lines of a VPN. You get IPv6 inside the tunnel for your
use while the tunnel itself uses only IPv4 on the outside.

From a simplistic view point your system thinks that it has two
Internet connections, one of which only provides IPv4 addresses and the
other only provides IPv6 addresses.

I say simplistic because there are a lot of different ways that you can
configure things, some of which have (logical) interfaces, others do not.

> Reason for asking is I run a BBS and some of my downlinks have a v6
> address along with a v4 and when the v4 cannot connect my system has a
> quick look at v6 says protocol not supported and gives up on that poll.

I'm not quite tracking what downlinks means in this case. I'm assuming
that it's down in a FTN network topology perspective. Thus from an IP
network topology perspective, they are simply peers. If your system
can't connect to an IPv4 peer for some reason and you don't have IPv6,
then you actually can't connect (at that time).

[Marco Moock]

Am Freitag, 11. Februar 2022, um 11:45:56 Uhr schrieb Grant Taylor:

> Think along the lines of a VPN. You get IPv6 inside the tunnel for
> your use while the tunnel itself uses only IPv4 on the outside.

One advantage over VPN is that it only has the IPv4 header as
additional overhead. Also no auth is supported, the tunnel endpoint at
the customer side is detected only by the IPv4 address.

[Grant Taylor]

On 2/11/22 11:39 AM, Marco Moock wrote:
> This is the right decision ...
Probably. I still have /some/ /minor/ qualms with it.

> was also intended for RF1918 addresses.

I disagree.

RFC 1918 IP addresses were intended for (re)use by multiple networks.
Auspiciously networks that would never have direct IP connectivity to
other outside IP networks.

However I'm not aware of any RFCs that state that RFC 1918 (or other
non-globally routed IPs) should /not/ be used for non local network
communications.

Site to site and business to business VPNs wherein each site / business
uses RFC 1918 IP addresses are prime examples of where RFC 1918 IPs are
used for non-local communications.

And the elephant in the room is all the RFC 1918 IP addresses that are
being used to access the Internet via NAT.

Conversely, there are codified rules that indicate that IPv6 site-local
IP addresses SHOULD NOT be used to communicate with external entities.

> It is against the protocol to do so.

Are you sure?

What about the /protocol/ changes, other than the value used for the end
point addresses?

The only thing that cares is an arbitrary filter that exists in some
software stacks to smack you on the hand.

The underlying IPv4 /protocol/ doesn't care.

> You can change the software, but then it doesn't follow the RFC's
> rules.

What if the RFCs change such that a new RFC conflicts with an old RFC?
Which one is wrong? Which one is correct? E.g. the ongoing effort to
make part of 127/8 be globally routed.

Or what about older RFCs that did not treat 100.64/10 as shared in a
similar way as RFC 1918?

The actual addresses don't matter to the software stack, save for the
possibility of arbitrary filters.

It's by /convention/ that we agree on how we will use some things.

Site to site / business to business VPNs using non-conflicting RFC 1918
on either side is a perfect example of this.

There is a *HUGE* difference in what the /technology/ supports as
opposed to what usage /conventions/ approve of.

[Grant Taylor]

On 2/11/22 12:03 PM, Marco Moock wrote:
> Also no auth is supported, the tunnel endpoint at the customer side
> is detected only by the IPv4 address.

It is highly dependent on what type of tunnel is used.

IP protocol 41 (a.k.a. SIT?) may have the properties that you say.

But other types of tunnels, including full blown encrypting VPNs can
provide the same IPv6 in IPv4 connectivity.

Then there's devious behavior in using IP protocol 41 in IPsec Transport
Mode only with Authentication Header (no Encapsulating Security
Payload). That provides quite strong authentication for IP protocol 41.
}:-) It also doesn't incur the encryption / decryption processing
overhead.

[Roger Blake]

On 2022-02-10, Marco Moock <mo...@posteo.de> wrote:
> You will need that in future because IPv4 has too less addresses. NAT
> is very annoying and many home user ISPs don't provide public IPv4
> addresses to their customers anymore. They can only use IPv6 to operate
> a server. Now IPv4 creates additional costs and need resources. I
> really like to get rid of IPv4 as soon as possible.

I've been hearing that song and dance for the last 20 years. Sorry
to disappoint you but I doubt IPV4 will be going away any time soon.

--
------------------------------------------------------------------------------
18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
The fraud of "Climate Change" -- https://RealClimateScience.com
There is no "climate crisis" -- https://climatedepot.com
Don't talk to cops! -- https://DontTalkToCops.com
------------------------------------------------------------------------------

[Roger Blake]

On 2022-02-10, Marc Haber <mh+usene...@zugschl.us> wrote:
> And you're soooooo proud of that, aren't you?

Yes, as a matter of fact I am. I've been working with what is now known as
IPV4 for nearly 40 years and have no desire to learn a new protocol. It's
not likely that IPV4 will be going away in my lifetime.

[Roger Blake]

On 2022-02-11, Marco Moock <mo...@posteo.de> wrote:
> ... We should
> switch to IPv6 ASAP.

I'm not making that switch. I doubt it will happen en masse any time
soon, probably not within my lifetime. (Or if it does I'll be too
old to give a rat's ass about the internet.)

[Marco Moock]

Am Samstag, 12. Februar 2022, um 00:33:44 Uhr schrieb Roger Blake:

> I've been hearing that song and dance for the last 20 years. Sorry
> to disappoint you but I doubt IPV4 will be going away any time soon.

I agree, IPv4 will keep for at least 10 years, but everybody not
implementing IPv6 ins his networks slows down the process.

[Marc Haber]

Grant Taylor <gta...@tnetconsulting.net> wrote:
>On 2/11/22 6:22 AM, Marc Haber wrote:
>> For v4, yes. IPv6 was carefully crafted not to need it.
>
>The thing that IPv6 has over IPv4 is the number of IP addresses. But
>/utilizing/ those IP addresses brings inherent problems, not the least
>of which is additional routing burden.

This is utter B.S.

Routing Tables with IPv6 are significantly shorter than with IPv4 in
all but the most basic setups. The way greater address space allows
for smart address planning and much better aggregation of routes.

You get rid of all crutches the v4 needs to be still usable. Since all
LAN segments have a /64 prefix, you stop having to worry about prefix
length.

>Picture any business wherein each location is locally owned while having
>some loose affiliation with a corporate entity with different owners. A
>very good example is car dealerships affiliated with a major brand or
>service company. Wherein each individual location administers their
>network with complete autonomy and corporate administers it's network
>with complete autonomy. With that large topology in mind, consider the
>potential, nay likely, complications with needing to establish
>bi-directional communications between every single location and the
>corporate entity such that systems at corporate can print to the
>networked printer in the parts department. The C.I.R. functions as an
>integration between each individual location and corporate.

You'd have two address spaces in each LAN segment at the car
dealerships. One prefix for Internet access with local breakout, the
other assigned by the brand. Applications can choose which address to
use, leaving the rest of the burden to the network components.

That's WAY easier than with IPv4.

What makes those things complicated is people clinging to their
IPv4-based procedures.

>NAT makes this trivial to do.

quod erat demonstrandum.

>Corporate doesn't have to worry about (de)conflicting subnets across
>multiple sites.

They don't, because with IPv6 there are no conflicting subnets.

>The NAT on the C.I.R. acts as an abstraction alyer allowing each side to
>operate with almost complete autonomy from each other.

That works differently with IPv6. One needs to learn that and let go
of IPv4 mechanisms.

>I have written this email using IPv4 addresses because they are simpler
>/ shorter to type (and more mussle memory).

How many IP address do you have to type when sending mail?

Btw, this is not mail.

> But the exact same concept
>applies to IPv6 as it does to IPv4.

No, it isn't. The concepts are very different. And when one rejects
IPv6 because it isn't IPv4 one will have to pay a price.

rest deleted, it's not worth spending time with one who clearly lives
in the past and refuses to adapt.

[Marc Haber]

Grant Taylor <gta...@tnetconsulting.net> wrote:
>Sadly, IPv6 site-local doesn't work for accessing the IPv6 internet,
>despite IPv6 NAT /because/ clients won't choose them for globally routed
>destinations.

If you want IPv6 Intenet, you deply Global Unicast Addresses.

>You /can/ route IPv6 link-local if you get creative. }:-)

You don't need to be creative to use IPv6. It's all stupid, all easy.
That's how networks should be.

[Marc Haber]

Grant Taylor <gta...@tnetconsulting.net> wrote:
>On 2/11/22 6:22 AM, Marc Haber wrote:
>> Which ones, for example?
>
>Pick any U.S. DoD prefix for starters. }:-)

Those belong to the U.S. DoD. You're not supposed to use them.

>Or any other entity that you know that you're not going to communicate with.

That's a really stupid idea.

>-- Once you truly grok anycast and how it works, you can get *REALLY*
>creative.

Networks are not supposed to be creative. They're supposed to work.
And the simpler they are, the more reliable are they.

[Marc Haber]

It's like the vaccination. Things would be best if everybody did it,
but since a vocal minority doesn't do it AND TAKES PRIDE IN NOT DOING
IT, the whole process is slowed down for everybody significantly.

With the vaccination, the price we pay is lifes, with IPv6, it's only
money.

[Marc Haber]

Roger Blake <rogb...@iname.invalid> wrote:
>On 2022-02-10, Marc Haber <mh+usene...@zugschl.us> wrote:
>> And you're soooooo proud of that, aren't you?
>
>Yes, as a matter of fact I am. I've been working with what is now known as
>IPV4 for nearly 40 years and have no desire to learn a new protocol. It's
>not likely that IPV4 will be going away in my lifetime.
>
>--
>------------------------------------------------------------------------------
> 18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
> Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
> The fraud of "Climate Change" -- https://RealClimateScience.com
> There is no "climate crisis" -- https://climatedepot.com

>------------------------------------------------------------------------------

Quoting the signature for a reason. I am not surprised.

End of discussion for me.

[Marco Moock]

Am Samstag, 12. Februar 2022, um 10:54:57 Uhr schrieb Marc Haber:

> Marco Moock <mo...@posteo.de> wrote:
> >Am Samstag, 12. Februar 2022, um 00:33:44 Uhr schrieb Roger Blake:
> >
> >> I've been hearing that song and dance for the last 20 years. Sorry
> >> to disappoint you but I doubt IPV4 will be going away any time
> >> soon.
> >
> >I agree, IPv4 will keep for at least 10 years, but everybody not
> >implementing IPv6 ins his networks slows down the process.
>
> It's like the vaccination. Things would be best if everybody did it,
> but since a vocal minority doesn't do it AND TAKES PRIDE IN NOT DOING
> IT, the whole process is slowed down for everybody significantly.
>
> With the vaccination, the price we pay is lifes, with IPv6, it's only
> money.

A really bad comparison. If other's servers are not reachable via IPv4
I need to be able to access it, maybe via NAT64. If other servers that
need to communicate with me can't use IPv6, I HAVE to provide IPv4.

If others do not want vaccination, I don't need to care about. They
also don't need to care about my vaccination.

[jrg]

On 2/12/22 02:01, Marco Moock wrote:
> If others do not want vaccination, I don't need to care about. They
> also don't need to care about my vaccination.

Wrong.
You are correct in your assessment of that sig in general - one can't
cure stupid. But the statement " I don't need to care about. " is
equally stupid, as is the obverse you continued to use. It shows simply
an attitude of "hurray for me and screw you". With the number of deaths
involved, EVERYONE needs to be aware of the risks the carrier of the
"plague" puts on all those around them. If you can't grasp the point,
do the rest of us a favor and STFU - try visiting a leper colony to see
how your "enlightened" position works.

[Marco Moock]

I just wanted to make clear that the comparison between no vaccination
and no IPv6 isn't a good one.
Regardless if you are vaccinated or not, I can decide myself if I want
to be or not.
I can't do that with IPv4/IPv6.

[Grant Taylor]

On 2/12/22 2:50 AM, Marc Haber wrote:
> You don't need to be creative to use IPv6. It's all stupid, all easy.
> That's how networks should be.

The hardest part about IPv6 is getting an ISP that provides it.

WAY too many don't provide IPv6.

[Grant Taylor]

On 2/12/22 2:52 AM, Marc Haber wrote:
> Those belong to the U.S. DoD. You're not supposed to use them.

And yet there are many people doing exactly that.

Or using someone else's network.

> That's a really stupid idea.

I didn't say that squatting on someone else's IP space was a good idea.

> Networks are not supposed to be creative. They're supposed to work.
> And the simpler they are, the more reliable are they.

And how is having many (upwards of 10) IPv6 addresses on a single
machine /simpler/?

What do you do if the multiple enterprises are using site-local, despite
the deprecation?

How do you address the conflict /simply/ then?

[Marco Moock]

Am Samstag, 12. Februar 2022, um 19:36:15 Uhr schrieb Grant Taylor:

> On 2/12/22 2:50 AM, Marc Haber wrote:
> > You don't need to be creative to use IPv6. It's all stupid, all
> > easy. That's how networks should be.
>
> The hardest part about IPv6 is getting an ISP that provides it.
>
> WAY too many don't provide IPv6.

I completely agree. Here in Germany many small ISPs don't provide it,
but the big ones like Deutsche Telekom provide it even for home
customers.

[Bit Twister]

Frontier Fios here in Dallas Texas gives ipv4
$ wget -qO - http://icanhazip.com
47.183.233.188


--
The warranty and liability expired as you read this message.
If the above breaks your system, it's yours and you keep both pieces.
Practice safe computing. Backup the file before you change it.
Do a, man command_here or cat command_here, before using it.

[David Brown]

On 11/02/2022 09:41, Marco Moock wrote:
> Am Freitag, 11. Februar 2022, um 07:28:05 Uhr schrieb Mike Mocha:
>
>> Thanks for all the responses! Something that still is not making
>> sense to me, if for example we have a home network that contains many
>> different IPv6 devices connected, how do we control what ports get
>> exposed on each device?
>
> The concept of the internet (IPv4 and IPv6) is that every device has an
> unique address that is reachable from any other node.

That /was/ the original idea - back when IP networking was for a few
specialised uses such as military research, universities, and a few
niche companies. Such a concept does not scale to today's networking
needs, and that has /nothing/ to do with the number of IPv4 addresses.

It is a /long/ time since computers and users have had the level of
trust that existed then. With more software, has come more security
holes. The average level of knowledge of users has dropped as computers
arrived on every desk, not just the desks of experts.

The number of connected nodes has increased dramatically over the
decades. Unique addressing is not the issue - it's an irrelevancy. A
system where any node can address any other node simply does not scale.

So what we have is a somewhat hierarchical system - basically on two
levels. There is the "internet" which supports wide-range access and
routing, with many servers directly on that network. And there is there
are countless local networks with interaction within the network, and
access to internet-based servers, but with no need for anything outside
to get in.

Rounded to the nearest tenth of a percent, all computers are
client-only. (Yes, the remaining fraction that act as servers is
important.) They are mobile phones, home computers, work desktops, etc.
All of these need to be able to access servers on the internet. /None/
of them need to be accessed by any other computer. The only time
something tries to directly access them, is an attack from some hacker,
worm or other malware. No one wants that, or to make that easier.

Of course you can say that it is the job of the firewall to block
incoming connections while allowing packets of established connections
to pass through from the internet. But when the firewall is already
doing this connection tracking, it can also do NAT'ing at little cost.
That then makes the routing process upstream /hugely/ easier.

What benefit would there be from each device having a unique IP address
that is used directly, without NAT? The device would /not/ be reachable
from any other node - if you think that would be a good thing, with
every hacker on the other side of the globe having direct access to your
grandma's mobile, you are living on a different planet.

The only people that would see this as a direct benefit are the
Facebooks of the world, and the porn-site based scammers and
blackmailers. (That includes "legitimate" porn sites that get hacked by
scammers and blackmailers.) They'd love to know /exactly/ which
computer was used, as accurately as possible, rather than seeing common
router IP addresses.


> NAT and all that
> crap are just temporary solutions for keeping IPv4 alive.

NAT is a fine example of the flexibility of IP networking, and does a
fine job of helping compartmentalise and modularise the network. It is
also extremely easy to have a simple NAT setup - these days pretty much
every home has a NAT router with Wifi, that comes out of the box with a
setup that provides a basic level of security for the home (except for
the NAT routers that have hopeless default passwords). In the days of
dial-up, people would take their Windows XP machines and connect
directly to the internet, getting a global IP that was reachable from
any node. Their machine would be taken over by hostile hackers and bots
long before it had managed to download the latest service packs and
updates, which at best only blocked half the attacks anyway. Now they
connect their new Windows machines to their NAT router, and /no/ attacks
get in (until they do something stupid, like click on a phishing email
link).

> We should
> switch to IPv6 ASAP.
>

There are certainly cases where a greater availability of globally
unique addresses would be helpful. While almost all computers are not
servers, /some/ are, and sometimes a unique address on the internet
would be handy.

I see some benefits to IPv6, but not enough to bother much about it as
yet. And when I do start using it seriously, it will be with NAT.

[Marco Moock]

Am Sonntag, 13. Februar 2022, um 11:49:22 Uhr schrieb David Brown:

> On 11/02/2022 09:41, Marco Moock wrote:
> > Am Freitag, 11. Februar 2022, um 07:28:05 Uhr schrieb Mike Mocha:
> >
> >> Thanks for all the responses! Something that still is not making
> >> sense to me, if for example we have a home network that contains
> >> many different IPv6 devices connected, how do we control what
> >> ports get exposed on each device?
> >
> > The concept of the internet (IPv4 and IPv6) is that every device
> > has an unique address that is reachable from any other node.
>
> That /was/ the original idea - back when IP networking was for a few
> specialised uses such as military research, universities, and a few
> niche companies. Such a concept does not scale to today's networking
> needs, and that has /nothing/ to do with the number of IPv4 addresses.

They scale very well if you have enough addresses available. It is much
easier because you don't need a NAT/PAT table nor create concepts for
interconnecting LANs with RF1918 address etc.

> It is a /long/ time since computers and users have had the level of
> trust that existed then. With more software, has come more security
> holes. The average level of knowledge of users has dropped as
> computers arrived on every desk, not just the desks of experts.
>
> The number of connected nodes has increased dramatically over the
> decades. Unique addressing is not the issue - it's an irrelevancy. A
> system where any node can address any other node simply does not
> scale.

It does very well, a home customer has about 2^64 addresses available.
Tell me what you can't do with that.

> So what we have is a somewhat hierarchical system - basically on two
> levels. There is the "internet" which supports wide-range access and
> routing, with many servers directly on that network. And there is
> there are countless local networks with interaction within the
> network, and access to internet-based servers, but with no need for
> anything outside to get in.

Why do we need a hierarchical system here?
If we want addresses for local-only services we can use ULA. also more
than enough addresses available for all your needs.

> Rounded to the nearest tenth of a percent, all computers are
> client-only. (Yes, the remaining fraction that act as servers is
> important.) They are mobile phones, home computers, work desktops,
> etc. All of these need to be able to access servers on the internet.

That is what big companies and providers tells us. Everybody that wants
to use VoIP without any problems needs to be reachable from the outside.

> /None/ of them need to be accessed by any other computer. The only
> time something tries to directly access them, is an attack from some
> hacker, worm or other malware. No one wants that, or to make that
> easier.

Then they can operate an SPI firewall. Windows has one enabled by
default, most home routers have one enabled.

> Of course you can say that it is the job of the firewall to block
> incoming connections while allowing packets of established connections
> to pass through from the internet. But when the firewall is already
> doing this connection tracking, it can also do NAT'ing at little cost.
> That then makes the routing process upstream /hugely/ easier.

Why should it do NAT?
What makes it better in the routing?
I see no benefit at all.

> What benefit would there be from each device having a unique IP
> address that is used directly, without NAT? The device would /not/
> be reachable from any other node - if you think that would be a good
> thing, with every hacker on the other side of the globe having direct
> access to your grandma's mobile, you are living on a different planet.

The grandma's router has an SPI fw enabled. Grandma's Windows has an
SPI FW enabled by default, so no problem.
If you have a good operating system, no server software runs on the
public addresses. Then there is also no problem at all without NAT or
an SPI fw.

> The only people that would see this as a direct benefit are the
> Facebooks of the world, and the porn-site based scammers and
> blackmailers. (That includes "legitimate" porn sites that get hacked
> by scammers and blackmailers.) They'd love to know /exactly/ which
> computer was used, as accurately as possible, rather than seeing
> common router IP addresses.

Because of proxy servers and NAT companies like Facebook and Google
created other methods of tracking. They use User Agents, Cookies,
Browser storage to identify a user, they don't need an unique IP
address.

> > NAT and all that
> > crap are just temporary solutions for keeping IPv4 alive.
>
> NAT is a fine example of the flexibility of IP networking, and does a
> fine job of helping compartmentalise and modularise the network. It
> is also extremely easy to have a simple NAT setup - these days pretty
> much every home has a NAT router with Wifi, that comes out of the box
> with a setup that provides a basic level of security for the home
> (except for the NAT routers that have hopeless default passwords).

NAT first creates a flexibility and then you see how bad it is. Think
about DNS with servers that have private addresses and should have a
host name. You then need NAT hairpinning and other nasty stuff.

> In the days of dial-up, people would take their Windows XP machines
> and connect directly to the internet, getting a global IP that was
> reachable from any node. Their machine would be taken over by
> hostile hackers and bots long before it had managed to download the
> latest service packs and updates, which at best only blocked half the
> attacks anyway. Now they connect their new Windows machines to their
> NAT router, and /no/ attacks get in (until they do something stupid,
> like click on a phishing email link).

The main problem of that is that Windows has enabled server software
like NetBIOS over IP and SMB. This is the problem and NAT/SPI should
now solve the biggest security problem that MS was able to create?
Personally, I don't care anymore about windows machines because they
are insecure by design.

> > We should
> > switch to IPv6 ASAP.
> >
> There are certainly cases where a greater availability of globally
> unique addresses would be helpful. While almost all computers are not
> servers, /some/ are, and sometimes a unique address on the internet
> would be handy.
>
> I see some benefits to IPv6, but not enough to bother much about it as
> yet. And when I do start using it seriously, it will be with NAT.

Then do it if you like a really bad network infrastructure.
What I wanna is that I can switch off IPv4 at all at my side without
having problems to connect to other's servers.

[Marc Haber]

Grant Taylor <gta...@tnetconsulting.net> wrote:
>On 2/12/22 2:50 AM, Marc Haber wrote:
>> You don't need to be creative to use IPv6. It's all stupid, all easy.
>> That's how networks should be.
>
>The hardest part about IPv6 is getting an ISP that provides it.
>
>WAY too many don't provide IPv6.

Thankfully, in technologically advanced countries dual stack or dual
stack lite Internet Access is commodity and easily bought on the
market, even with competetive pricing.

Greetings
Marc

[Marc Haber]

Grant Taylor <gta...@tnetconsulting.net> wrote:
>On 2/12/22 2:52 AM, Marc Haber wrote:
>> Networks are not supposed to be creative. They're supposed to work.
>> And the simpler they are, the more reliable are they.
>And how is having many (upwards of 10) IPv6 addresses on a single
>machine /simpler/?

You're fantasizing. In my most complex network (it's my home network)
I have at minimum four IPv6 addresses per machine¹, and that's just
cause I am too cheap to get decent BGP redundancy for my home. Any
business customer with a mind is going to have their own address space
and builds redundnacy network wise, which makes the network setup on
the actual server even easier.

¹ link local, SLAAC from the expensive, but static prefix, static
Unique Global Unicast from the expensive prefix for ssh, and SLAAC
from the dynamic but cheap and fast prefix for downloads. Add service
IP addresses from the expensive static prefix at will, I am a big fan
of having one IP address per service, which is WAY easier and WAY
cheaper with IPv4.

New setups I build with IPv6 only and provide IPv4 accress via NAT
(mainly for github, who have not woken up yet) and IPv4 services via
reverse proxy / ALG.

>What do you do if the multiple enterprises are using site-local, despite
>the deprecation?

Organizational failure to adapt to changed environment. The market
will solve that, given enough time.

>How do you address the conflict /simply/ then?

I am not a psychologist.

[Marco Moock]

Am Samstag, 12. Februar 2022, um 19:40:27 Uhr schrieb Grant Taylor:

> What do you do if the multiple enterprises are using site-local,
> despite the deprecation?
>
> How do you address the conflict /simply/ then?

site-local is deprecated since years.
if they like to use a site-local-scope address range the should use ULA
and should randomize the bits from bit to to bit 48 to ensure they have
an unique prefix. If they then want to bring together 2 links with IPv6
ULA it works fine without changing one address.

[David Brown]

As long as /you/ are all right, screw the rest of the world?

It's fine to blame MS for a decades-long attitude where security is an
afterthought at best - you'll find few people who are particularly
impressed with Windows security (and even fewer in a newsgroup like this
one!).

But in one simple step, NAT eliminates a whole major class of security
issues for client systems (including Linux and other OS's). It does so
in a way that is not only easy to get right, it is also hard to get wrong.

Security is not a feature - a one-off item that you attach to your
network. It is a process, and it is a matter of layers and
combinations. Each part reduces the overall risk of breaches - none is
absolute on its own, but in total you find an acceptable risk level.
And it is always a balance between keeping out the stuff you don't want,
while letting in the stuff you /do/ want with as little user
inconvenience as possible. NAT plays an important part in the security
in a lot of systems because it provides a huge step at keeping out
unwanted stuff while being of very little inconvenience to most users.
And it does this for practically nothing - stand-alone NAT routers for
small networks cost peanuts, and any serious router for a big network
will do it with negligible delay or overhead. There are not many
security measures that are so effective for so low cost.

[Marco Moock]

Am Sonntag, 13. Februar 2022, um 14:54:10 Uhr schrieb David Brown:

> NAT plays an important part in the security
> in a lot of systems because it provides a huge step at keeping out
> unwanted stuff while being of very little inconvenience to most users.
> And it does this for practically nothing - stand-alone NAT routers for
> small networks cost peanuts, and any serious router for a big network
> will do it with negligible delay or overhead. There are not many
> security measures that are so effective for so low cost.

Every SPI firewall does the same and costs the same. There is
absolutely NO security reason for NAT at all.
SPI works perfectly well and is included for IPv6 in every home router.
SPI also costs nothing but doesn't have the nasty things of NAT.

NAT wasn't intended for security, it was intended for expanding the
lifetime of IPv4.

[Jorgen Grahn]

On Thu, 2022-02-10, Marco Moock wrote:
> Am Donnerstag, 10. Februar 2022, um 12:44:56 Uhr schrieb Grant Taylor:
>
>> On 2/10/22 12:15 PM, Dan Purgert wrote:
>> > Although you need neither port-forwarding nor NAT on v6...
>>
>> Maybe. Maybe not.
>>
>> It depends on the network topology and other layers of the stack,
>> including layers 8 (politics) and 9 (money) influence this.
>
> If you like to have more work (NAT is annoying if using DNS names
> inside and outside of the NAT net), then you can set up NAT for IPv6.

NAT tends to be not only more work but also worse functionality. I'm
mainly thinking of how NAT keeps state in the routers, and that home
routers tend to drop the state after a while so that e.g. long-lived
TCP sessions tend to silently stop working.

> I like the easy way that means no NAT at all whenever possible.
>
> Network is one of the things that last very long, so I don't like nasty
> stuff like NAT there.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

[Marco Moock]

Am Sonntag, 13. Februar 2022, um 19:43:03 Uhr schrieb Jorgen Grahn:

> NAT tends to be not only more work but also worse functionality. I'm
> mainly thinking of how NAT keeps state in the routers, and that home
> routers tend to drop the state after a while so that e.g. long-lived
> TCP sessions tend to silently stop working.

Full ack.
That is the reason for unnecessary "keep-alive" packages many
applications send.

[jrg]

On 2/12/22 12:39, Marco Moock wrote:

> Regardless if you are vaccinated or not, I can decide myself if I want
> to be or not.

Of course you can but you live in a society which affords you a living
and something other than a cave to live in, though it seems you wouldn't
know the difference and you wouldn't have the internet connection, a
good thing since it would remove your ability to spew your skewed
opinion of whats good for everyone.

Fortunately, in the end, Darwin's Law prevails, though its doubtful it
could apply to IPv4/6.

P.S.

my spelchekker suggests Muck or Mooch as an alternative to Moock.
I'll leave that alone...

[jrg]

On 2/13/22 01:59, Bit Twister wrote:

> Frontier Fios here in Dallas Texas gives ipv4
> $ wget -qO -http://icanhazip.com
> 47.183.233.188

att gives me
2600:1700:79b1:20c0:2f4:8dff:fea6:fc3b

no clue, just in passing.

[jrg]

On 2/13/22 05:54, David Brown wrote:

> As long as/you/ are all right, screw the rest of the world?

sounds like an echo...

[Bit Twister]

All those colons instead of 4 dots, tells me your isp, ATT-SBCIS,
is giving out ipv6 addresses.

[Roger Blake]

On 2022-02-12, Marco Moock <mo...@posteo.de> wrote:
> I agree, IPv4 will keep for at least 10 years, but everybody not
> implementing IPv6 ins his networks slows down the process.

It will probably be longer than that. I am quite happy to be old and in the way.

--
------------------------------------------------------------------------------
18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
The fraud of "Climate Change" -- https://RealClimateScience.com
There is no "climate crisis" -- https://climatedepot.com

Don't talk to cops! -- https://DontTalkToCops.com
------------------------------------------------------------------------------

[Roger Blake]

On 2022-02-12, Marc Haber <mh+usene...@zugschl.us> wrote:
> With the vaccination, the price we pay is lifes, with IPv6, it's only
> money.

Sorry, but real-world data contradicts that statement. The safety and
effectiveness of the so-called "vaccines" (which don't actually prevent
spread of the disease) are highly over-rated. The official narrative
does not hold up under close examination.

https://www.informedchoiceaustralia.com/post/1000-peer-reviewed-studies-ques
tioning-covid-19-vaccine-safety

The only way you'll "vaccinate" me is to kill me first.

[Roger Blake]

On 2022-02-12, Marc Haber <mh+usene...@zugschl.us> wrote:

> Quoting the signature for a reason. I am not surprised.
> End of discussion for me.

In other words you cannot support your position(s). I am not surprised.

--
------------------------------------------------------------------------------
18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
The fraud of "Climate Change" -- https://RealClimateScience.com
There is no "climate crisis" -- https://climatedepot.com

[Marc Haber]

And then there are the application that need constant pampering and
additional crutches to work through nat, and probably still lose
significant parts of their functionality even if all crutches are
properly in place.

Those are such unimportant protocols like ftp and SIP/RTP. Heck, who
wants telephony anyway?!?

Greetings
Marc, currently cursed with an unreliable telephone because of NAT

[Marc Haber]

Roger Blake <rogb...@iname.invalid> wrote:
>On 2022-02-12, Marc Haber <mh+usene...@zugschl.us> wrote:
>> Quoting the signature for a reason. I am not surprised.
>> End of discussion for me.
>
>In other words you cannot support your position(s).

I don't want to. I have more important things to do than to argue with
idiots.

[jrg]

Thanks, that much I figured but am surprised you don't get ip6 in
Dallas. I had never seen icanhazip before, don't know why, haven't been
living under a rock...

[jrg]

On 2/13/22 18:06, Roger Blake wrote:

> old and in the way

great album, that

[jrg]

On 2/13/22 23:52, Marc Haber wrote:
> Roger Blake <rogb...@iname.invalid> wrote:
>> On 2022-02-12, Marc Haber <mh+usene...@zugschl.us> wrote:
>>> Quoting the signature for a reason. I am not surprised.
>>> End of discussion for me.
>>
>> In other words you cannot support your position(s).
>
> I don't want to. I have more important things to do than to argue with
> idiots.
>

+1

[Bit Twister]

On Tue, 15 Feb 2022 09:13:54 -0800, jrg wrote:
> On 2/13/22 16:05, Bit Twister wrote:
>> On Sun, 13 Feb 2022 14:02:44 -0800, jrg wrote:
>>> On 2/13/22 01:59, Bit Twister wrote:
>>>
>>>> Frontier Fios here in Dallas Texas gives ipv4
>>>> $ wget -qO -http://icanhazip.com
>>>> 47.183.233.188
>>>
>>> att gives me
>>> 2600:1700:79b1:20c0:2f4:8dff:fea6:fc3b
>>>
>>> no clue, just in passing.
>>
>> All those colons instead of 4 dots, tells me your isp, ATT-SBCIS,
>> is giving out ipv6 addresses.
>
> Thanks, that much I figured but am surprised you don't get ip6 in
> Dallas.

Spectrum Cable is also giving ipv4 to customers.

> I had never seen icanhazip before, don't know why, haven't been
> living under a rock...

Other options of getting your Internet ip address.

curl http://icanhazip.com
curl http://ident.me
curl whatismyip.akamai.com
curl https://ipecho.net/plain

wget -qO - http://icanhazip.com

wget -qO - http://ident.me/
wget -qO - http://smxi.org/opt/ip.php
wget -qO - https://ipecho.net/plain
wget -qO - http://myip.dnsomatic.com/

[Grant Taylor]

On 2/13/22 12:43 PM, Jorgen Grahn wrote:
> NAT tends to be not only more work but also worse functionality.
> I'm mainly thinking of how NAT keeps state in the routers, and
> that home routers tend to drop the state after a while so that
> e.g. long-lived TCP sessions tend to silently stop working.

That's /stateful/ NAT. There is also the older /stateless/ NAT that
does not have this problem.

[Grant Taylor]

On 2/13/22 5:52 AM, Marc Haber wrote:
> Thankfully, in technologically advanced countries dual stack or dual
> stack lite Internet Access is commodity and easily bought on the
> market, even with competetive pricing.

There have been MANY technologies to more easily provide IPv6 access
than going dual-stack from end-to-end. Sadly, many ISPs aren't
utilizing them.

[Grant Taylor]

On 2/13/22 5:58 AM, Marc Haber wrote:
> You're fantasizing.

No I'm not.

I've worked on many servers that have (at least) the following per
interface:

- link-local
- old GUA
- current GUA
- new GUA

With at least three interfaces. 3 x 4 = 12

That all assumes a single IPv6 address per prefix. Many systems that
I've worked on have had multiple IPv6 addresses per prefix as part of
how they offer services:

- management IP
- web service VIP
- mail service VIP

[Grant Taylor]

On 2/13/22 6:05 AM, Marco Moock wrote:
> site-local is deprecated since years.

Agreed.

Though I still think there are uses for it. E.g. the local SMTP relay
server at this site. Road warriors don't need to reconfigure anything
as they go office to office.

> if they like to use a site-local-scope address range the should use
> ULA and should randomize the bits from bit to to bit 48 to ensure
> they have an unique prefix. If they then want to bring together 2
> links with IPv6 ULA it works fine without changing one address.

That is contrary to the intention behind site-local / anycasted addresses.

[Marco Moock]

Am Dienstag, 15. Februar 2022, um 11:48:30 Uhr schrieb Grant Taylor:

> That's /stateful/ NAT. There is also the older /stateless/ NAT that
> does not have this problem.

I know and stateless NAT64 is a nice feature to make servers reachable
via IPv6 without configuring the entire network, e.g. when implementing
IPv6 is difficult in the current network infrastructure.

It think it will also be used in future for making IPv6-only servers
reachable via IPv4.

[Marco Moock]

Am Dienstag, 15. Februar 2022, um 11:50:18 Uhr schrieb Grant Taylor:

> There have been MANY technologies to more easily provide IPv6 access
> than going dual-stack from end-to-end. Sadly, many ISPs aren't
> utilizing them.

I know, it is really sad.
Especially customers behind CG-NAT aren't able to use SIT to get IPv6
connectivity.

[Marco Moock]

Am Dienstag, 15. Februar 2022, um 11:56:37 Uhr schrieb Grant Taylor:

> > if they like to use a site-local-scope address range the should use
> > ULA and should randomize the bits from bit to to bit 48 to ensure
> > they have an unique prefix. If they then want to bring together 2
> > links with IPv6 ULA it works fine without changing one address.
>
> That is contrary to the intention behind site-local / anycasted
> addresses.

It is, but it makes sure that address conflicts are very seldom if you
need to interconnect such ULA prefixes from to sites.

[Grant Taylor]

On 2/13/22 5:51 AM, Marco Moock wrote:
> They scale very well if you have enough addresses available.

I believe that David was referring to the security implications related
to trust rather than the addressing of the underlying protocol.

If nothing else, based on population size of connected devices.

> Why do we need a hierarchical system here? If we want addresses for
> local-only services we can use ULA. also more than enough addresses
> available for all your needs.

Site-local vs link-local immediately comes to mind.

> That is what big companies and providers tells us. Everybody that
> wants to use VoIP without any problems needs to be reachable from
> the outside.

I've used VoIP without any problem without globally routed addresses.

There is a difference in something being simpler / more pristine vs less
simple / less pristine and still working perfectly fine. The latter
tends to negate the former as arguments for must have global reach ability.

> Then they can operate an SPI firewall. Windows has one enabled by
> default, most home routers have one enabled.

I think that it's important to keep time & context in mind. Windows has
an SPI firewall enabled by default /now/. It did not 20 years ago.

> If you have a good operating system, no server software runs on the
> public addresses. Then there is also no problem at all without NAT
> or an SPI fw.

I will not bet my security on "good operating system" nor "no server
software runs on the public address" /alone/. Does "belt and
suspenders" or "layers of security" mean anything?

> Because of proxy servers and NAT companies like Facebook and Google
> created other methods of tracking. They use User Agents, Cookies,
> Browser storage to identify a user, they don't need an unique IP
> address.

I'm fairly certain that the User-Agent and Cookies headers pre-date wide
adoption of NAT. The definitely pre-date Facebook and Google.

Also, trusting the IP address alone is insufficient. IPs used to be far
more dynamic than they are today. Thus you couldn't rely on them for
identification in the vast majority of situations.

> NAT first creates a flexibility and then you see how bad it is. Think
> about DNS with servers that have private addresses and should have
> a host name. You then need NAT hairpinning and other nasty stuff.

I guess setting up an internal zone to resolve the name to the LAN IP is
"other nasty stuff".

> The main problem of that is that Windows has enabled server software
> like NetBIOS over IP and SMB. This is the problem and NAT/SPI should
> now solve the biggest security problem that MS was able to create?
> Personally, I don't care anymore about windows machines because they
> are insecure by design.
>

> Then do it if you like a really bad network infrastructure. What I
> wanna is that I can switch off IPv4 at all at my side without having
> problems to connect to other's servers.

Currently (2022) you will have better connectivity with IPv4+IPv6 with
NAT than you will with IPv6 only. Sadly, the Internet isn't even close
to parity between IPv4 and IPv6 from a service availability standpoint.

[Grant Taylor]

On 2/15/22 12:11 PM, Marco Moock wrote:
> It is, but it makes sure that address conflicts are very seldom if you
> need to interconnect such ULA prefixes from to sites.

I have a problem with going through extra effort on the minuscule off
hand chance that I will want to interconnect with another business
entity that I've never even heard of. Especially if there are other
technologies that allow me to do what I want and not have to worry about
/potential/ conflict.

I can either do the simple thing now and get immediate benefit from all
of the LANs that I administer or I can go through more work now in the
hopes to save some work for an unlikely event in the future.

I'm all for pay-it-forward, but I feel like this is taking it too far.

[Grant Taylor]

On 2/15/22 12:08 PM, Marco Moock wrote:
> I know and stateless NAT64

I was referring to stateless NAT44. E.g. prefix translation;
192.0.2.x/24 <=> 198.51.100.x/24

[Grant Taylor]

On 2/13/22 6:54 AM, David Brown wrote:
> But in one simple step, NAT eliminates a whole major class of security
> issues for client systems (including Linux and other OS's). It does
> so in a way that is not only easy to get right, it is also hard to
> get wrong.

I think that the second part of that is extremely germane: "easy to get
right" and more importantly "had to get wrong".

> And it is always a balance between keeping out the stuff you don't
> want, while letting in the stuff you /do/ want with as little user
> inconvenience as possible. NAT plays an important part in the security
> in a lot of systems because it provides a huge step at keeping out
> unwanted stuff while being of very little inconvenience to most users.

I read that statement a little differently and I think that it's worth
sharing the idea. Do something that implicitly breaks communications
(e.g. incompatible addressing) such that you must do something that
explicitly enables communications (e.g. NAT / proxy).

There is a lot to be said for a security system that requires explicit
precise action to make something externally available while just about
anything else will fail to communicate externally in one of many ways.

I say "just about" because even a blind hog finds a truffle on occasion.
Chaos also dictates that the dryer be folded when you open it for the
first time.