archive

If you have the August 13, 2024—KB5041580 update. You’re good.

You are viewing a single thread.
View all comments View context
45 points

IPv6 genuinely made some really good decisions in its design, but I do question the default “no NAT, no private network prefixes” mentality since that’s not going to work so well for average Janes and Joes

permalink
report
parent
reply
55 points
*

No NAT doesn’t mean no firewall. It just means that you both don’t have to deal with NAT fuckery or the various hacks meant to punch a hole through it.

Behind NAT, hosting multiple instances of some service that uses fixed port numbers requires a load-balancer or proxy that supports virtual hosts. Behind CGNAT, good luck hosting anything.

For “just works” peer to peer services like playing an online co-op game with a friend, users can’t be expected to understand what port forwarding is, let alone how it works. So, we have UPnP for that… except, it doesn’t work behind double NAT, and it’s a gaping security hole because you can expose arbitrary ports of other devices if the router isn’t set up to ignore those requests. Or, if that’s not enough of a bad idea, we have clever abuse of IP packets to trick two routers into thinking they each initiated an outbound connection with the other.

permalink
report
parent
reply
3 points

can you tell me if any device in an IPv6 LAN can just assign itself more IP v6 adresses and thereby bypass any fw rule?

permalink
report
parent
reply
10 points
*

IPv6 has two main types of non-broadcast addresses to think about: link-local (fe80::) and public.

A device can self-assign a link-local address, but it only provides direct access to other devices connected to the same physical network. This would be used for peer discovery, such as asking every device if they are capable of acting as a router.

Once it finds the router, there are two ways it can get an IP address that can reach the wider internet: SLAAC and DHCPv6. SLAAC involves the device picking its own unique address from the block of addresses the router advertises itself as owning, which is likely what you’re concerned about. One option for ensuring a device can’t just pick a different address and pretend to be a new device is by giving it a subset of the router’s full public address space to work with, so no matter what address it picks, it always picks something within a range exclusively assigned to it.

Edit: I butchered the explanation by tying to simplify it. Rewrote it to try again.

permalink
report
parent
reply
5 points

How would that bypass the firewall?

permalink
report
parent
reply
3 points

Not if your firewall router is setup right (strict mac address filtering)

permalink
report
parent
reply
15 points

Routers simply need to block incoming unestablished packets (all modern routers allow for this) to replicate NAT security without NAT translation. Then you just punch holes through on IP addresses and ports you want to run services on and be done with it.

Now, some home routers aren’t doing this by default, but they absolutely should be. That’s just router software designers being bad, not IPv6’s fault, and would get ironed out pretty quick if there was mass adoption and IPv4 became the secondary system.

To be clear, this is not a reason not to be adopting IPv6.

permalink
report
parent
reply
2 points

Routers simply need to block incoming unestablished packets

This is called a firewall

permalink
report
parent
reply
1 point

Yes, and no. A firewall is still a firewall if it is configured to have all ports open. The Linux kernel firewall is still active, even though its default configuration is, everything open.

My point is, for some reason there are some that are not configured to block incoming IPv6 by default. When that should be the standard home/consumer router default setting. Then the user can open ports to ips as they need them.

permalink
report
parent
reply
5 points
*

Why would you think it wouldn’t work for the average Jane and Joe?

permalink
report
parent
reply
6 points

Not the person you were replying too, but I was there when we had modems and raw-dogged the internet.

The average person clicks “Yes” on everything without reading it, has no idea what a firewall is, and they never update anything unless it does it without asking.

Having things accessible from outside your network is great if you’re a network nerd and that’s what you want, but most people are going to be in a world of unprotected shit. Especially in a world of pointlessly online devices. I don’t trust any of those fuckers to have their shit in order.

permalink
report
parent
reply
4 points

I would assume/hope the default setting for a consumer router would still be to drop incoming connections. That should suffice for the average person as long as ISPs don’t make it easy to disable that without actually understanding what the consequences are.

permalink
report
parent
reply
4 points

Honestly the more I think about it the more I realize I’m wrong. I was thinking someone could enable a server on their client device without realizing it but the firewall on the router would still need to be modified in that situation, and anything not requiring firewall modifications would be just as much of a security hole on IPv4

permalink
report
parent
reply
5 points
*

Yeah it’s a common trip up. We’re all so used to the way that things are done in IPv4 that our natural response is to try and apply IPv4 logic to IPv6, but you’re absolutely right.

Many people think NAT is a security feature but but that’s only a coincidence and it doesn’t do anything a firewall doesn’t already do. And if we take it one step further we can actually see that a firewall and IPv6 is actually more secure than NAT. The only inherent risk of port warding in NAT is that the IP you’re forwarding to is ultimately arbitrary. Think, have a port open to SMB for a publicly accessible file sharing container, then later ditching it and via DCHP your laptop picks up that old IP and now voila you’ve technically exposed your laptop. It’s not quite that simple but that’s the essence of it.

But with IPv6, IPs are no longer arbitrary. When you allow access in certain ports to a certain machine and that machine goes away, that rule will always only allow access to nowhere.

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 15K

    Monthly active users

  • 6.7K

    Posts

  • 153K

    Comments