Re: understanding IPv6

[William Herrin <bill () herrin us>]

On Sun, Jun 7, 2020 at 3:01 AM Denys Fedoryshchenko
<nuclearcat () nuclearcat com> wrote:
> There are very interesting and unobvious moments on IPv4 vs IPv6, for
> example related to battery lifetime in embedded electronics. In ipv4,
> many devices are forced to send "keepalives" so that the NAT entry does
> not disappear, with IPv6 it is not required and bidirectional
> communications possible at any time.

Hi Denys,

Not exactly. Keepalive requirements are a property of whether or not
you employ stateful firewalls. IPv4's address-overloaded NAT
inherently requires a stateful firewall while that's optional when
you're not using NAT. However, there are great reasons from a security
posture perspective to employ a stateful firewall regardless.

Having an external host be unable to send packets to an internal host
where the internal host didn't initiate the communication is a
relatively solid foundation on which to build a network security
process. It's not always the best answer but if you build your
software with the assumption it won't be there, you're making a
mistake.

Also bear in mind that address-overloaded NAT has a security benefit
over stateful firewalls: it "fails closed" in the sense that mistakes
configuring the firewall tend to leave it incorrectly unable to
deliver a packet rather than incorrectly able to deliver a packet.
Since network products do implement this form of IPv6 NAT (e.g. the
Linux masquerade target exists for ip6tables too) you can expect some
organizations to use it. This is especially true early in their
adoption of IPv6 when they don't understand it as well as IPv4. Many
will want to keep their security posture as closely aligned with IPv4
as possible.

Regards,
Bill Herrin



--
William Herrin
bill () herrin us
https://bill.herrin.us/