On Sun, Jun 7, 2020 at 3:01 AM Denys Fedoryshchenko <nuclearcat@nuclearcat.com> wrote:
There are very interesting and unobvious moments on IPv4 vs IPv6, for example related to battery lifetime in embedded electronics. In ipv4, many devices are forced to send "keepalives" so that the NAT entry does not disappear, with IPv6 it is not required and bidirectional communications possible at any time.
Hi Denys, Not exactly. Keepalive requirements are a property of whether or not you employ stateful firewalls. IPv4's address-overloaded NAT inherently requires a stateful firewall while that's optional when you're not using NAT. However, there are great reasons from a security posture perspective to employ a stateful firewall regardless. Having an external host be unable to send packets to an internal host where the internal host didn't initiate the communication is a relatively solid foundation on which to build a network security process. It's not always the best answer but if you build your software with the assumption it won't be there, you're making a mistake. Also bear in mind that address-overloaded NAT has a security benefit over stateful firewalls: it "fails closed" in the sense that mistakes configuring the firewall tend to leave it incorrectly unable to deliver a packet rather than incorrectly able to deliver a packet. Since network products do implement this form of IPv6 NAT (e.g. the Linux masquerade target exists for ip6tables too) you can expect some organizations to use it. This is especially true early in their adoption of IPv6 when they don't understand it as well as IPv4. Many will want to keep their security posture as closely aligned with IPv4 as possible. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/