nanog mailing list archives
RE: IPv6 uptake (was: The Reg does 240/4)
From: "Howard, Lee via NANOG" <nanog () nanog org>
Date: Mon, 19 Feb 2024 14:02:45 +0000
Bottom-posted with old school formatting by hand. -----Original Message----- From: NANOG <nanog-bounces+leehoward=hilcostreambank.com () nanog org> On Behalf Of William Herrin Sent: Friday, February 16, 2024 8:05 PM To: Michael Thomas <mike () mtcc com> Cc: nanog () nanog org Subject: Re: IPv6 uptake (was: The Reg does 240/4)
On the firewall, I program it to do NAT translation from 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which also has the effect of disallowing inbound packets to 192.168.55.0/24 which are not part of an established connection. Someone tries to telnet to 192.168.55.4. What happens? The packet never even reaches my firewall because that IP address doesn't go anywhere on the Internet.
Most NATs I've seen in the last 10-15 years are "full cone" NATs: they are configured so that once there is an outbound flow, and inbound datagram to that address+port will be forwarded to the inside address, regardless of source. Most devices now have a more or less constant flow of heartbeats or updates to somewhere on the Internet. In practice, NAPT just increases the size of the space to scan: just dump your crafted packets to every address + every port at your target. If that increased scanning target is your security, you're better off with the increased target of IPv6. IT administrators don't usually know what kind of NAT they have deployed. FWIW, the other enterprise IT security hole I often see: if your VPN is IPv6-unaware, but your users have IPv6 at home (like most in the U.S.), your VPN is now split-tunnel, regardless of policy. You may think all your packets are going through the VPN to be inspected by the corporate firewall, but any web site with IPv6 (about half) will use the local residential route, not the VPN. Lee
Current thread:
- Re: IPv6 uptake (was: The Reg does 240/4), (continued)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Ryan Hamel (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Justin Streiner (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Steven Sommars (Feb 18)
- Re: IPv6 uptake Stephen Satchell (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Tom Beecher (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) Jay R. Ashworth (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Matthew Walster via NANOG (Feb 18)
- Re: IPv6 uptake (was: The Reg does 240/4) Daniel Marks via NANOG (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake Michael Thomas (Feb 17)
- Re: IPv6 uptake Mike Hammett (Feb 19)
- Re: IPv6 uptake William Herrin (Feb 19)
- Re: IPv6 uptake Mike Hammett (Feb 19)