nanog mailing list archives
Re: IPv6 uptake (was: The Reg does 240/4)
From: William Herrin <bill () herrin us>
Date: Mon, 19 Feb 2024 07:46:35 -0800
On Mon, Feb 19, 2024 at 6:02 AM Howard, Lee <LeeHoward () hilcostreambank com> wrote:
Most NATs I've seen in the last 10-15 years are "full cone" NATs: they are configured so that once there is an outbound flow, and inbound datagram to that address+port will be forwarded to the inside address, regardless of source.
Hi Lee, Yes, they do that to help with NAT traversal. This allows two hosts behind separate NATs to establish direct communication with the help of an external server in the establishment phase. The flip side is that your internal hosts are limited to 65k established connections between them or the firewall exhausts its available ports. Without full cone, the number of translations that NAT can do is bounded only by its available RAM.
NAPT just increases the size of the space to scan: just dump your crafted packets to every address + every port at your target.
Not quite. Full cone slightly reduces NAT's positive security impact. But only slightly. An external source can poke at an internal host on the specific port where the internal host has established an outbound connection, but it can't poke the internal host on any other ports where services might actually be running and waiting for connections.
FWIW, the other enterprise IT security hole I often see: if your VPN is IPv6-unaware, but your users have IPv6 at home (like most in the U.S.), your VPN is now split-tunnel, regardless of policy. You may think all your packets are going through the VPN to be inspected by the corporate firewall, but any web site with IPv6 (about half) will use the local residential route, not the VPN.
Yep. Folks who built their security for remote users around the idea of preventing split-tunnels have done the job so very wrong. Another fun thing you can do in Linux is run the VPN software inside a network namespace. The VPN happily takes over the namespace and any software you run inside the namespace, but the rest of the host remains on the public Internet. You can also run the VPN in a VM that shares mounts and clipboard with the host. Regards, Bill Herrin
Lee
-- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: IPv6 uptake (was: The Reg does 240/4), (continued)
- Re: IPv6 uptake (was: The Reg does 240/4) Ryan Hamel (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Justin Streiner (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Steven Sommars (Feb 18)
- Re: IPv6 uptake Stephen Satchell (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Tom Beecher (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- RE: IPv6 uptake (was: The Reg does 240/4) Howard, Lee via NANOG (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) William Herrin (Feb 19)
- Re: IPv6 uptake (was: The Reg does 240/4) Jay R. Ashworth (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake (was: The Reg does 240/4) Matthew Walster via NANOG (Feb 18)
- Re: IPv6 uptake (was: The Reg does 240/4) Daniel Marks via NANOG (Feb 16)
- Re: IPv6 uptake (was: The Reg does 240/4) Owen DeLong via NANOG (Feb 17)
- Re: IPv6 uptake Michael Thomas (Feb 17)
- Re: IPv6 uptake Mike Hammett (Feb 19)
- Re: IPv6 uptake William Herrin (Feb 19)
- Re: IPv6 uptake Mike Hammett (Feb 19)
- Re: [External] Re: IPv6 uptake Hunter Fuller via NANOG (Feb 19)