Home / Blogs

IPv6 Security Myth #3: No IPv6 NAT Means Less Security

Chris Grundemann

We're back again with part 3 in this 10 part series that seeks to bust 10 of the most common IPv6 security myths. Today's myth is a doozy. This is the only myth on our list that I have seen folks raise their voices over. For whatever reason, Network Address Translation (NAT) seems to be a polarizing force in the networking world. It also plays a role in differentiating IPv4 from IPv6.

In IPv4, NAT (technically NAT overload or NAPT) is required for multiplexing due to the shortage of addresses. In IPv6 we have 340 trillion, trillion, trillion addresses available, and therefore no need for address sharing. This means that the NAT we have in IPv4 is not part of our IPv6 world. Some people keep saying this is a security issue, which brings us to today's myth.

Myth: No IPv6 NAT Means Less Security
Reality: Stateful Firewalls Provide Security (Not NAT)

We can argue the merits of NAT, the end-to-end principle, and security until we're blue in the face — and many have — but the reality is that NAT does not provide any real network security. Worse yet, it actually prevents many security measures and provides an additional attack surface for your network.

The cause for much of this confusion stems from the fact that NAT requires state. By "state" I mean that the NAT device must remember which internal addresses to swap for which external addresses, and vice verse. This in turn means that any device performing NAT overload must act as a stateful firewall.

A stateful firewall uses state to determine which packets to allow into the network. That is, it remembers when you send packets out and to whom so that it can allow packets back in only from those hosts with which you initiated communication. In other words, a stateful firewall stops all incoming traffic unless it is a reply to valid traffic that you sent.

While the NAT may provide a bit of obfuscation, by hiding your internal addresses, it is really this stateful firewall function that protects your network from unwanted intrusion.

What's worse than giving NAT credit for the work of our trusty stateful firewall? NAT making you less secure. That obfuscation trait of NAT we mentioned earlier actually prevents IPsec, DNSSEC, Geolocation, and other applications — many of which are designed to provide security — from working.

NAT also introduces its own set of security flaws. NAT devices stand in front of your network as a single point of failure. All NAT'ed packets must terminate on the NAT device and get a new IP header with their new, translated, address. This means that every flow into and out of a NAT'ed network is wholly dependant on the NAT device, and consumes resources on the NAT device. This opens these devises up to many DoS attacks. An attacker can consume available connection state, available addresses or ports, or simply overload the CPU with ALG (Application Layer Gateway) or other requests.

The bottom line is that NAT is not a security feature and removing NAT from your network will NOT make it less secure. In fact, it may actually increase your overall security.

Can't wait for the next IPv6 Security Myths post? Not to worry, you can check out tons of great IPv6 resources right now!

By Chris Grundemann, Internet Technologist, Author, and Speaker; Principal Architect at Myriad Supply. More blog posts from Chris Grundemann can also be read here.

Related topics: Cybersecurity, IPv6

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

It would be interesting to actually test Andrew McConachie  –  Jan 31, 2015 1:15 PM PDT

It would be interesting to actually test the theory that IPv4/NAT is less secure than IPv6/no-NAT. In my mind the question is still open as to whether one is more or less secure than the other. There is something to be said for IPv4/NAT using RFC1918 addresses for internal hosts. It's more than just obfuscation, attacking them requires using some form of address translation. Which means either compromising the NAT box, or creating fake state in the NAT box through abuse of uPnP or similar mechanism. Either way it requires extra work on the part of the attacker.

I would also never suggest deploying residential IPv6 without some kind of stateful security device between the residence's hosts and the Internet. So IPv6 doesn't do away with a stateful middle device(e.g. firewall), it only obviates the address and port translation problem.

As more ISPs roll out IPv6 maybe we can start to see if your theory holds true. There must be ISPs live now with both IPv4/NAT and IPv6/no-NAT. Can we get a comparison study to see which groups of hosts are facing the most security problems? This data should exist at this point in history. And it might finally put this debate to rest.

Security is about so much more than technical possibilities. We like to focus on the technology because it's where we're most comfortable, and can exact the most control. However, I'd bet most security breaches relevant to this discussion are more likely to be caused by misconfiguration, or lack of user understanding. In which case the tech is less relevant, and the social/psychological issues surrounding adoption become more interesting.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Verisign

Cybersecurity

Sponsored by Verisign
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Afilias

DNS Security

Sponsored by Afilias

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum