You can essentially achieve this with some routers with a “DMZ” network segment/ device, so all incoming requests to your external IP get forwarded to it automatically. You don’t even need to disable NAT if you set it up well.
A standard DMZ still does NAT. You get a private IP and the router "nat"s you, just that it forwards all incoming traffic to that device by default. I think technically, that gets you disqualified for no nat november. Though, you’d end up exposing the ports of the machine to incoming traffic, that’s correct.
I admittedly did not read the original Mastodon post from nixCraft about the purpose of No NAT November, but surely it’s not just about moving to IPv6? You can (and usually would) still do NATing with IPv6. You don’t want every device to be internet-exposed, but still want them to be able to access the internet (and who wants to configure internet-defensive firewall rules on all their internal home hosts)?
I don’t agree that you usually would still use NAT with IPv6. I’ve never seen NAT in combination with IPv6 and I’ve seen plenty of deployments at our customers. NAT is not the same as a firewall, so just using public IPv6 addresses does not mean that you are exposing every port by default. I think you should read up on IPv6 and firewalling before making statements like this :)
Edit: you don’t even have to set up firewalling on each internal device… the router/firewall blocks inbound traffic by default.
That’s right. People want a firewall. Maybe on the devices and/or on the router. But NAT isn’t that. It’s address translation. Predominantly because there aren’t enough addresses available. It’s a workaround. And it kills things like VOIP, videoconferences, direct communication etc. And then you need a workaround for the workaround to work around that… If you just want to drop incoming traffic and not expose clients, that’s what the firewall is for.
So first off, I think it’s safe to assume that the article is not about going and removing IPv4 on your company’s corporate networks for a month, so I’ve been speaking in regards to home internet service.
NAT is not a firewall, but in normal use by the average home internet user it is a means to prevent computers outside of their network from reaching computers inside the network without ports being forwarded on the router, or the internal machine initiating the connection. If you do not have a firewall on the devices, and they are not behind a NAT gateway/router, then they are by default exposing ports. There’s no inherent guarantee that a router has a firewall configured properly, or has it enabled.
I’ve never seen NAT in combination with IPv6 and I’ve seen plenty of deployments at our customers.
I’m interested in how this works. In a normal IPv4 scenario for home internet users, you are assigned a single IP for your router by your ISP, and internal addressing is usually handled by router-resident DHCP automatically. In the deployments you’re seeing, are ISPs handing out /120 blocks to each router? Does that require the ISP to have access to alter your home router, or do customers configure the DHCP themselves (which seems unlikely to scale)?
There’s no inherent guarantee that a router has a firewall configured properly, or has it enabled.
If it’s not an enterprise router (where you sometimes start with a blank configuration), it most definitely does have a firewall blocking incoming traffic by default.
In the deployments you’re seeing, are ISPs handing out /120 blocks to each router?
/120 is not enough for IPv6 to reasonably work. It kinda requires the smallest block to be /64, otherwise half the cool stuff about IPv6 breaks. So you should get something between /48 and /64 (the recommendation for ISPs is /56 for residential users so they can subdivide their network to 256 other networks, and /48 as default commercial allocation).
Does that require the ISP to have access to alter your home router, or do customers configure the DHCP themselves (which seems unlikely to scale)?
There is DHCPv6, but it’s not really an important part of a network like DHCP for v4 networks. IIRC Android doesn’t even support it. IPv6 uses Router Advertisement (RA) to tell devices what prefix they’re in (and a few things that were originally DHCP options, like the preferred DNS servers), and the devices then pick their own address using the SLAAC mechanism (originally it was derived from the MAC address, but nowadays should be a random number). RA supports “multilayer” networks where each following router further subdivides the prefix it got.
If you want a static address (for example for a server), you can either configure it manually on the device (using tokenized addresses, i.e. “static local part with dynamic prefix”), or use a DHCPv6 server to assign the address (in which case the RA responses from your router need to indicate that there is a DHCPv6 server on the network).
Also, you talked about the fc00::/7 (or its locally managed half, fd00::/8) prefix as a proof that NAT is used with IPv6, but… There’s absolutely nothing stopping you from having both a globally routable address and a local only address at the same time. IPv6 already requires you to have at least two addresses when you connect to any network - a link local address and whatever other address you get assigned (btw IPv4 never prevented you from doing the same thing, it just wasn’t directly encouraged and wasn’t widely used, and DHCP didn’t support handing out multiple addresses unlike RA).
You can even get a security “improvement” over the claimed scenario with NAT with this - if you don’t assign a global address to a node, then not only will it be unreachable from the internet, it will also be unable to connect to the internet itself while being reachable from your network without any issues. “Air gapping” (I know, I know… but people use this term for “no internet” now) for folks afraid of firewalls!
/120? /48 and /64 are common assignments, where /48 is imho preferred as it allows you to easily use SLAAC inside your network. I’ve seen plenty of home setups too and I don’t know how to say this nicely but you should really read up on IPv6 before posting comments like this pretending you have an idea what you’re talking about. Seriously.
You can essentially achieve this with some routers with a “DMZ” network segment/ device, so all incoming requests to your external IP get forwarded to it automatically. You don’t even need to disable NAT if you set it up well.
A standard DMZ still does NAT. You get a private IP and the router "nat"s you, just that it forwards all incoming traffic to that device by default. I think technically, that gets you disqualified for no nat november. Though, you’d end up exposing the ports of the machine to incoming traffic, that’s correct.
I admittedly did not read the original Mastodon post from nixCraft about the purpose of No NAT November, but surely it’s not just about moving to IPv6? You can (and usually would) still do NATing with IPv6. You don’t want every device to be internet-exposed, but still want them to be able to access the internet (and who wants to configure internet-defensive firewall rules on all their internal home hosts)?
There’s a reason that FD00::/7 exists.
I don’t agree that you usually would still use NAT with IPv6. I’ve never seen NAT in combination with IPv6 and I’ve seen plenty of deployments at our customers. NAT is not the same as a firewall, so just using public IPv6 addresses does not mean that you are exposing every port by default. I think you should read up on IPv6 and firewalling before making statements like this :)
Edit: you don’t even have to set up firewalling on each internal device… the router/firewall blocks inbound traffic by default.
That’s right. People want a firewall. Maybe on the devices and/or on the router. But NAT isn’t that. It’s address translation. Predominantly because there aren’t enough addresses available. It’s a workaround. And it kills things like VOIP, videoconferences, direct communication etc. And then you need a workaround for the workaround to work around that… If you just want to drop incoming traffic and not expose clients, that’s what the firewall is for.
So first off, I think it’s safe to assume that the article is not about going and removing IPv4 on your company’s corporate networks for a month, so I’ve been speaking in regards to home internet service.
NAT is not a firewall, but in normal use by the average home internet user it is a means to prevent computers outside of their network from reaching computers inside the network without ports being forwarded on the router, or the internal machine initiating the connection. If you do not have a firewall on the devices, and they are not behind a NAT gateway/router, then they are by default exposing ports. There’s no inherent guarantee that a router has a firewall configured properly, or has it enabled.
I’m interested in how this works. In a normal IPv4 scenario for home internet users, you are assigned a single IP for your router by your ISP, and internal addressing is usually handled by router-resident DHCP automatically. In the deployments you’re seeing, are ISPs handing out /120 blocks to each router? Does that require the ISP to have access to alter your home router, or do customers configure the DHCP themselves (which seems unlikely to scale)?
If it’s not an enterprise router (where you sometimes start with a blank configuration), it most definitely does have a firewall blocking incoming traffic by default.
/120 is not enough for IPv6 to reasonably work. It kinda requires the smallest block to be /64, otherwise half the cool stuff about IPv6 breaks. So you should get something between /48 and /64 (the recommendation for ISPs is /56 for residential users so they can subdivide their network to 256 other networks, and /48 as default commercial allocation).
There is DHCPv6, but it’s not really an important part of a network like DHCP for v4 networks. IIRC Android doesn’t even support it. IPv6 uses Router Advertisement (RA) to tell devices what prefix they’re in (and a few things that were originally DHCP options, like the preferred DNS servers), and the devices then pick their own address using the SLAAC mechanism (originally it was derived from the MAC address, but nowadays should be a random number). RA supports “multilayer” networks where each following router further subdivides the prefix it got.
If you want a static address (for example for a server), you can either configure it manually on the device (using tokenized addresses, i.e. “static local part with dynamic prefix”), or use a DHCPv6 server to assign the address (in which case the RA responses from your router need to indicate that there is a DHCPv6 server on the network).
Also, you talked about the fc00::/7 (or its locally managed half, fd00::/8) prefix as a proof that NAT is used with IPv6, but… There’s absolutely nothing stopping you from having both a globally routable address and a local only address at the same time. IPv6 already requires you to have at least two addresses when you connect to any network - a link local address and whatever other address you get assigned (btw IPv4 never prevented you from doing the same thing, it just wasn’t directly encouraged and wasn’t widely used, and DHCP didn’t support handing out multiple addresses unlike RA).
You can even get a security “improvement” over the claimed scenario with NAT with this - if you don’t assign a global address to a node, then not only will it be unreachable from the internet, it will also be unable to connect to the internet itself while being reachable from your network without any issues. “Air gapping” (I know, I know… but people use this term for “no internet” now) for folks afraid of firewalls!
Thank you, this is super informative!
/120? /48 and /64 are common assignments, where /48 is imho preferred as it allows you to easily use SLAAC inside your network. I’ve seen plenty of home setups too and I don’t know how to say this nicely but you should really read up on IPv6 before posting comments like this pretending you have an idea what you’re talking about. Seriously.