Bottom-posted with old school formatting by hand. -----Original Message----- From: NANOG <nanog-bounces+leehoward=hilcostreambank.com@nanog.org> On Behalf Of William Herrin Sent: Friday, February 16, 2024 8:05 PM To: Michael Thomas <mike@mtcc.com> Cc: nanog@nanog.org Subject: Re: IPv6 uptake (was: The Reg does 240/4)
On the firewall, I program it to do NAT translation from 192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which also has the effect of disallowing inbound packets to 192.168.55.0/24 which are not part of an established connection.
Someone tries to telnet to 192.168.55.4. What happens? The packet never even reaches my firewall because that IP address doesn't go anywhere on the Internet.
Most NATs I've seen in the last 10-15 years are "full cone" NATs: they are configured so that once there is an outbound flow, and inbound datagram to that address+port will be forwarded to the inside address, regardless of source. Most devices now have a more or less constant flow of heartbeats or updates to somewhere on the Internet. In practice, NAPT just increases the size of the space to scan: just dump your crafted packets to every address + every port at your target. If that increased scanning target is your security, you're better off with the increased target of IPv6. IT administrators don't usually know what kind of NAT they have deployed. FWIW, the other enterprise IT security hole I often see: if your VPN is IPv6-unaware, but your users have IPv6 at home (like most in the U.S.), your VPN is now split-tunnel, regardless of policy. You may think all your packets are going through the VPN to be inspected by the corporate firewall, but any web site with IPv6 (about half) will use the local residential route, not the VPN. Lee