This doesn't change with the vast majority of residential IPv6 deployments. Many people conflate having a public IP address with not having a firewall. This is not the case at all. Yes, internal clients will get public, routable IPv6 addresses. They are still behind a firewall, though, and you have just as much control over ingress and egress traffic as you did before.
The problem is that all NAT related issues are not because of NAT itself, but because of the required stateful firewalling for NAT.
To be able to NAT and un-NAT, you first need to classify traffic (that NEW, ESTABLISHED, RELATED,... stuff in Linux netfilter), changing the destination or source ip addresses is only the second part of that process.
Protocols don't break only because of NAT, but mostly because of stateful firewalling, you'll face the same problems with IPv6 if you enable it.
The difference is in the isolation factor: there is absolutely NO way a packet with an internal IP can get anywhere on the public Internet, and likewise a packet with a public IP will never be accepted by a device that has been configured with an internal one. The failure modes are different - although firewalls can be configured to provide an "outgoing connections only" default like NAT, they are also software and thus not immune to bugs; a buggy firewall letting packets through which shouldn't be is far worse than a buggy NAT.
there is absolutely NO way a packet with an internal IP can get anywhere on the public Internet
That very much depends on your definition of "public internet."
My service provider doesn't properly filter RFC1918 space at their border. From my home on the west coast, I can hit 10.0.0.0/8 devices on the east coast in a separate AS.
Is a reachable printer web interface 3000 miles away in New York on the public internet? The "Internet" is a very tough entity to define succinctly, but I'd argue yes.
Why would you need to filter an internal IP as a destination IP, routing should handle that.
I understand filtering the source address as internal IP because that could be malicious spoofing of internal host (and destination can't legitimately reply.)
I used to feel this way but I've come to the opposite conclusion. Most homes have a rarely updated, always on computer connected to the public internet with increasing numbers of known vulnerabilities.
Agreed; despite what many seem to think I don't believe that every device on a network should have a public IP by default. Even if the whole Internet becomes IPv6-only I'll probably still keep my home network behind a NAT router on a private subnet.
As the recent series of articles on "smart" appliance security shows, many are exploitable through services listening on ports which the user normally isn't aware of. I would certainly not want a bigger number of those exposed to the public Internet than there already are.
This might be a totally off-topic tangent. I apologize if it is.
It seems to me that if consumer routers are configured to refuse to forward inbound IPv6 packets to machines on the LAN, we would be in almost exactly the same situation vis a vis home service hosting as we are with IPv4 addresses, NATs, and automated port forwarding protocols. Frankly, this would be a giant step backwards from IPv6 as she is envisioned.
From what I understand, the "average" home user has little to no idea of what a port is or why one might want to forward it. They are also very likely to be incapable of classifying machines that need not be globally reachable. So, either we have to write smart software that can determine whether or not a network device requires protection from inbound traffic, or we have to make a forwarding policy decision for this user when we send them their router.
If we're serious about IPv6, we shouldn't configure our gateway devices to require the software that we write to assume that a globally-reachable address is likely to actually not be globally-reachable.
It would be slightly less evil without NAT. You'd still need the three-party handshake but it would always work. You'd no longer have the symmetric NAT craziness.
You could also dispense with the need for frequent keepalives, a boon to mobile battery life.
Getting rid of NAT is step one. Step two is deperimeterization: getting rid of in-line firewalls. Step two is going to have to wait on OSes having better service encapsulation and app isolation models and for programmers to remove their heads from their behinds and stop writing code that is vulnerable to stack-smashing and buffer overflow attacks.
The last part will be tough. How much longer will the Sun be a main-sequence star? :)
A sends packet to B, which gets dropped by B's stateful firewall.
B sends packet to A, which gets interpreted as response and accepted.
A sends packet to B, which gets interpreted as response and accepted.
The third party is only necessary for telling B about the outgoing port chosen by A's NAT. With IPv6 where there's a stateful firewall but no NAT, a direct connection on a well-known port is possible.
Although in practice, you still need some third party to exchange each other's IP addresses.
> It seems to me that if consumer routers are configured to refuse to forward inbound IPv6 packets to machines on the LAN, we would be in almost exactly the same situation vis a vis home service hosting as we are with IPv4 addresses, NATs, and automated port forwarding protocols. Frankly, this would be a giant step backwards from IPv6 as she is envisioned.
I don't think it is such a giant step back. Devices still get to have addresses in a way that makes sense. Routing still gets to make sense. If two people in the same house want to play a peer-to-peer multiplayer game with a third person not in the same house, under IPv6+automated-firewall-exceptioning they can, whereas under IPv4+automated-port-forwarding they can't.
It's kind of dumb that we need automated port forwarding at all - opening a port should already be a deliberate indication from an application that it wants to accept external connections. If you want to listen only for connections from the same machine, bind to 127.0.0.1 - an equivalent for which will still exist under IPv6. If you want to listen only for connections from the same LAN, think again about what you really want - when the user goes to college, do they really want to be accepting connections from 400 students with poor security practices? If you can stand that, you have nothing to fear from the open internet.
But in the meantime we have the software we have rather than the software we want to have; for home routers, blocking traffic and requiring uPnP or the like is a reasonable default. Even if we do that, IPv6 is still worth it.
I think you're ignoring (or are maybe just innocently ignorant of) one key topic: state.
Stateful firewalls are exactly that - when an internal client initiates a TCP socket, for instance, the firewall knows to expect a series of replies back from whatever system the client contacted and is able to allow that traffic through.
In netfilter (iptables) land, this is handled by the "RELATED" qualifier, so you instruct the firewall to allow any related packets back through to the client.
IPv6 doesn't mean everything has to be globally reachable (except for certain ICMP messages that should always work). By default, I think blocking general inbound traffic is the right way.
When you want to run a service (i.e. something peer to peer or a web server or something), there are protocols for applications to tell the firewall to open certain ports, such as PCP - http://en.wikipedia.org/wiki/Port_Control_Protocol
It is, but mostly because popular operating systems have historically had poor application isolation and vulnerable services.
My personal opinion is that having to have a firewall everywhere in front of everything is a hack that was put into place because of awful OS security, and will become less important as OS security improves.
And/or you just substitute a NAT that happens to also function like a firewall with a proper firewall. The router could do the same sort of filtering as NAT would entail, but not require a hacky NAT table.
Or rephrased its not possible to implement "working" NAT without a stateful firewall, but the lack of NAT doesn't imply its impossible to deploy a stateful firewall.
(It would be interesting to research where this "can't have a stateful FW without NAT" meme came from. It is VERY popular among everyone but network guys)
