@fracutube Home routers just need to provide a default-deny firewall for incoming connections, the same way they do now with IPv4. The difference being that if you *want* to allow selected incoming access, you can do it without address translation, and you are no longer limited to a single device being publicly accessible on port 80 (if you want).
The example with the 3 subnets describes what is perfectly possible to do with IPv4 already: give all personal computers local addresses, do not implement any NAT, give the web proxy two IPs. Or you can only allow nat for a small group of hosts (boss, admins), and drop all other source adddresses before egrees to the WAN. The "interface identifier" being 64-bits long unreadable sequence does not make any sense. Suppose you do want all departments to have access to the Internet. How do you write a firewall rule to restric, say, Sales Department or the printers as group, if there are no subnets? This protocol must not be so _disruptive_. It should be possible to use shorter addresses like 2001:db8:1111:2222::2:0/112 for the sales department, subnet 2. I believe that is possible to do so with DHCPv6 or static. If ISPs are to give out /48 to regular customers, how long is it before we experience address shortage again. Some ISPs are already giving out dynamic prefixes, necessiting the use of NAT or DDNS. Again.
@fracutube Most likely, IPv6 routers will come with a stateful firewall preconfigured (which would be effectively as secure as NAT). So "grandma" won't even know the difference. IPv6 has so many addresses that it is infeasible to try random addresses in hopes of finding a vulnerable computer behind it. Most homes would get the current number of IPv4 internet addresses SQUARED. So in some ways IPv6 can be more secure.
NATv6 is not gone, but is a common application. The main folks in charge of telling you about IPv6 do not want you to know about NAT and IPv6. I have been using NATv6 since Jan 1st successfully. And the NAT devices that the stores sell contain firewalls, but they do not list them on the package. Most people assume that it is just NAT and forget about the firewall.
I'm a bit surprised at the suggestion to use a proxy & ULA instead of public routable IPv6 addresses for everybody. Firewalls should replace NAT, not proxies.
@SoftwareExplorer There is something odd about DHCPv6. It supports DNS updates, where autoconf does not. IMHO, autoconf's intent is to make everyone memorize IPv6 addrs, while DHCPv6 makes us memorize dns names.
@fracutube Home users are already told to use the Windows Firewall or some other host firewall on their own, and home routers will still have built in filtering as well. NAT on its own provides next to no real security
NATv6 is not gone, but a widely used application. I have been using it to change my FC00::/7 to a real IPv6 since January. Something to note, when people talk about NAT on V4, they usually mean a firewall with it, but the stores call it a "NAT" device, not a "NAT+Firewall" device. Most people use the default stock setup on the firewall and only change the NAT side. These firewalls usually block on incoming from the external.
@alp627 The windows default firewall will start blocking packets about 30 seconds after they come in. This means that some hacker has already gotten into your system before the firewall detects it. This is when you say, "Oops. Oh well. I guess I wanted to let him in by me running windows and not using a hardware firewall."
All NAT ever was as far as security was a stateful firewall. (As far as configuration, it could be a nightmare, and made routers work extra hard) So all you need to have the same security as you had with IPv4 is to just have a stateful firewall on whatever router was doing NAT with IPv4. SO WILL PEOPLE QUIT WITH ALL THIS "IPV6 IS EXTRA INSECURE" STUFF?
@alp627 The windows firewall provides blocking about 30 seconds after the connection has started. That is long enough for someone to hack in and already own your box. A hardware firewall is much better.
Saying that a /64 is the smallest subnet you can have is false. If you use DHCPv6 instead of Autoconf (which requires /64 subnet), you can use any subnet size you want.
well... how to avoid NAT if you have an ASSHOLE ISP at hand who only handy out /64 IPv6 Adresses if connected directly to their "blackbox router" i cannot controll ?? i want to have DNS and controll over the IPv6 Adresses within my LAN. cant have that with an ISP who doesnt give a phuck.
love it how in the end he completely trashes the ,,don't be afraid, isolation is now true'' with ,,so remember you are no longer limited to one address you can have MULTIPLE Addresses'' ok so we have a windows box with some archaic software that absolutely DEMANDS full access to system (aka admin) and no business cant/will not upgrade ... and now we have some malware that commands that nick to connect god knows where... yes yes antivirus etc are to counter it but think about it for a second.
![I.N "HALLUCINATION" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/n5B5q1Hwt_U/mqdefault.jpg)
@fracutube Home routers just need to provide a default-deny firewall for incoming connections, the same way they do now with IPv4. The difference being that if you *want* to allow selected incoming access, you can do it without address translation, and you are no longer limited to a single device being publicly accessible on port 80 (if you want).
Hi Johannes, I am also fun of your cybersecurity podcast. Thank you for your high-quality materials. I really appreciate the work you are doing.
The example with the 3 subnets describes what is perfectly possible to do with IPv4 already: give all personal computers local addresses, do not implement any NAT, give the web proxy two IPs. Or you can only allow nat for a small group of hosts (boss, admins), and drop all other source adddresses before egrees to the WAN.
The "interface identifier" being 64-bits long unreadable sequence does not make any sense. Suppose you do want all departments to have access to the Internet. How do you write a firewall rule to restric, say, Sales Department or the printers as group, if there are no subnets? This protocol must not be so _disruptive_. It should be possible to use shorter addresses like 2001:db8:1111:2222::2:0/112 for the sales department, subnet 2. I believe that is possible to do so with DHCPv6 or static.
If ISPs are to give out /48 to regular customers, how long is it before we experience address shortage again. Some ISPs are already giving out dynamic prefixes, necessiting the use of NAT or DDNS. Again.
@fracutube Most likely, IPv6 routers will come with a stateful firewall preconfigured (which would be effectively as secure as NAT). So "grandma" won't even know the difference.
IPv6 has so many addresses that it is infeasible to try random addresses in hopes of finding a vulnerable computer behind it. Most homes would get the current number of IPv4 internet addresses SQUARED. So in some ways IPv6 can be more secure.
NATv6 is not gone, but is a common application. The main folks in charge of telling you about IPv6 do not want you to know about NAT and IPv6. I have been using NATv6 since Jan 1st successfully. And the NAT devices that the stores sell contain firewalls, but they do not list them on the package. Most people assume that it is just NAT and forget about the firewall.
*#***#4636**#*#*
I'm a bit surprised at the suggestion to use a proxy & ULA instead of public routable IPv6 addresses for everybody. Firewalls should replace NAT, not proxies.
@SoftwareExplorer There is something odd about DHCPv6. It supports DNS updates, where autoconf does not. IMHO, autoconf's intent is to make everyone memorize IPv6 addrs, while DHCPv6 makes us memorize dns names.
@fracutube
Home users are already told to use the Windows Firewall or some other host firewall on their own, and home routers will still have built in filtering as well.
NAT on its own provides next to no real security
NATv6 is not gone, but a widely used application. I have been using it to change my FC00::/7 to a real IPv6 since January. Something to note, when people talk about NAT on V4, they usually mean a firewall with it, but the stores call it a "NAT" device, not a "NAT+Firewall" device. Most people use the default stock setup on the firewall and only change the NAT side. These firewalls usually block on incoming from the external.
I don't see how forcing users to sit behind a proxy is in any way less bad than NAT.
@alp627 The windows default firewall will start blocking packets about 30 seconds after they come in. This means that some hacker has already gotten into your system before the firewall detects it. This is when you say, "Oops. Oh well. I guess I wanted to let him in by me running windows and not using a hardware firewall."
Brilliant presentation.Thanks million times
All NAT ever was as far as security was a stateful firewall. (As far as configuration, it could be a nightmare, and made routers work extra hard) So all you need to have the same security as you had with IPv4 is to just have a stateful firewall on whatever router was doing NAT with IPv4. SO WILL PEOPLE QUIT WITH ALL THIS "IPV6 IS EXTRA INSECURE" STUFF?
@alp627 The windows firewall provides blocking about 30 seconds after the connection has started. That is long enough for someone to hack in and already own your box. A hardware firewall is much better.
Saying that a /64 is the smallest subnet you can have is false. If you use DHCPv6 instead of Autoconf (which requires /64 subnet), you can use any subnet size you want.
@jullrich Super excellent explanation!!! Loved it. Many thanks for this presentation.
very detail! good!
well... how to avoid NAT if you have an ASSHOLE ISP at hand who only handy out /64 IPv6 Adresses if connected directly to their "blackbox router" i cannot controll ?? i want to have DNS and controll over the IPv6 Adresses within my LAN. cant have that with an ISP who doesnt give a phuck.
Thanks a lot
IPv6 can go root itself :)
love it how in the end he completely trashes the ,,don't be afraid, isolation is now true'' with ,,so remember you are no longer limited to one address you can have MULTIPLE Addresses'' ok so we have a windows box with some archaic software that absolutely DEMANDS full access to system (aka admin) and no business cant/will not upgrade ... and now we have some malware that commands that nick to connect god knows where... yes yes antivirus etc are to counter it but think about it for a second.
thanks a lot.