Read more.Quote:
Only one final ration of 1,024 addresses remains per company.
Printable View
Read more.Quote:
Only one final ration of 1,024 addresses remains per company.
I learnt the basics of IPv6 4 years ago to make our product IPv6 ready (and build a simple network for testing). We've only ever sold one copy with IPv6 enabled. IPv6 is really cool but it'd going to take something like this to make everyone finally make the effort to switch.
I disagree, NAT still has an important place as a security feature, and I'd still be using it even if I was assigned a block of IPv6 addresses. Besides that, IPv4 is much easier to memorise/type for private addresses. It would be useful for any servers you might be running though.Quote:
With IPv6, however, the notion of NAT will eventually disappear
IPv6 might eliminate the woes associated with NAT but it introduces a whole lot more new woes, by it's nature NAT focuses traffic on a point in your network where you can "do security" and disrupts traffic flow in/out of a network, nobody outside can reach a machine inside unless the router/firewall is configured to make it so, meanwhile all machines inside are usually allowed to create any connection out...
If all machines have a globally routable address we're going to have to get rid of any default allow firewall rules and move to default drop/reject and then only allow traffic intended to transcend the LAN/WAN barrier. Network admins are going to have to learn PROPER firewall config and know each protocol and whether it should be allowed...
I don't know how true it is that IPv6 will really reduce computational intensity, we'll still need to inspect packet headers and apply firewall rules, devices will still be needed to perform load balancing for big websites etc even if each backend server had it's own global IPv6 address etc etc.
Huh? You've never needed NAT just to do that. NAT was developed as a dirty hack to work around IPv4 exhaustion. It's never been a competent security solution, ever.Quote:
Originally Posted by kingpotnoodle
NAT is not and should never, ever be considered a "security feature" by any means. What you want is a firewall, which will give you the same kind of protection (i.e. blocks unwanted incoming connections) but doesn't limit your network in any way and works both ways (blocks unwanted outgoing connections as well). Plus it'll log intrusions better and a good firewall will prevent things like DoS attacks much better than NAT ever will.Quote:
Originally Posted by watercooled
As for memorising addresses, IPv6 can be quite easy to memorise depending on which kind it is. For example, the equivelant to 127.0.0.1 (or "localhost" in IPv6 is 0:0:0:0:0:0:0:1, however it can be reduced to just ::1.
Unique Local addresses (the equiveland to 192.168.x.x) are not too difficult to memorise, either:
http://en.wikipedia.org/wiki/Unique_local_address
It simply is; no-one from outside the LAN can attempt to access services running on the local network. It may have been accidental, but it still works. Having everything on your LAN use a routable address means you're relying on software firewalls on the systems to do a good job, and any services to be free of exploits, neither of which you can rely on; it might become commonplace to just connect everything to a switch, negating the need for a router entirely. Sure, a fairly simple firewall can replace the security, but I can see them being a niche product, and rarely configured correctly...
No firewall will prevent a DoS attack, it's the nature of the beast. All these cheap firewalls advertising 'DoS prevention' are talking mostly rubbish, they may be able to prevent the CPU from getting overloaded but nothing stops a determined attacker simply flooding the connection.
No, there are ways around NAT for those that want to penetrate your system - as I and others have said, it is NOT a security mechanism. A firewall is much more robust and will not let in anywhere near the level of unwanted traffic that NAT will. You also don't have to rely on software firewalls - why don't you think you can't use a hardware firewall built into your router? Unless you count that as "Software" as well, in which case what the hell is NAT if not software?Quote:
Originally Posted by watercooled
As I pointed out, NAT at best only prevents one kind of unwanted traffic, a firewall prevents a lot more. And yes, they do protect better against things like DoS attacks - like it or not, even behind a NAT some of your machines are going to end up with public facing ports, if someone floods them then your machine might drop out (depending on the traffic and such), however a reasonable firewall can block that before it ever gets that far while still letting legitimate traffic through.
Yes, there are many poor firewalls out there - I don't think anyone's going to debate that, but at best NAT is just another "poor firewall", but it's poor because it's being used in a way that it was never intended.
Also small note - DoS attacks and DDoS attacks are not necessarily the same thing. It's possible to cause a Denial of Service attack with just a few bytes of data, assuming some vulnerability is used. Whereas a DDoS attack is the "flood with tonnes of data" thing that you're probably thinking of.
I didn't say you can't use a hardware firewall on a router, just it's largely redundant with correctly configured NAT and I fear routers/firewalls may be done away with altogether in the future.
Correctly configured NAT will randomise outgoing ports and remove the assignment when the connection closes. A simple allow-established firewall (all you can expect for plug-n-play home devices) offers nothing more.
Firewall/NAT don't protect against DoS; what are you going to try to attack, the GigE-connected Core i7 machine on the LAN or the 10Mbps-connected MIPS core router (not that you could actually attack the LAN PC faster than the WAN connection allows, of course)? If you want to take the machine offline, the easiest + foolproof way of doing it to a home user is to just flood the broadband connection. Nothing on the user end can protect against that, period. I'm, of course, assuming there's no vulnerability facing the WAN to allow a more complex DoS attack, but they could potentially affect anything, firewall or NAT.
I admit I did word my initial response badly, NAT offers nothing over a half decent firewall, but it has an important place as it's commonly used and no real configuration is necessary to get a base level of protection, and I'd probably still be using it as I find the v4 addresses easier to memorise, but that could obviously change with more experience.
Edit: Oh and I was using 'hardware firewall' to distinguish from software installed on PCs, which is fairly useless if malware gains admin access; firewalling should be done on it's own device, ideally separate from things like content filtering, but for home use at least it's not that much of an issue.
I've actually been DDoS'd myself (along with a friend) for continually owning some loud-mouthed guy on XBL. Turned out there are paid services online where you can get them to use their botnet to knock players off XBL long enough for you to get some reputation back. Unfortunately for him, I was hosting so the game ended, and one of my XBL friends is a moderator so he found himself banned. Anyway, off on a tangent there, IIRC it was just a ping flood. One advantage of being on VM at least, just change your router's WAN MAC address, reboot the modem and the DHCP server will give you a new IP.
The only real difference as far as I can tell is firewall. With NAT and no firewall your end machines still have an extra level of protection.Quote:
Originally Posted by watercooled
You will still have all your traffic going through your router (a single IP address) and you can apply security at that point still.
For gamers, IP6 could be the end of dodgy connection issues in lobbies and other p2p gaming services.
The point is, NAT isn't a security mechanism and if you treat it as such, you'll end up getting burned. A decent firewall will give you better protection than what NAT offers and I think you'd be surprised at what routers are capable of these days. You're right, the prevalence of NAT has meant that a lot of people haven't bothered to worry about firewalls in a long time (probably going back to the dial-up days for many) as they were "good enough", but the reality is that "good enough" doesn't cut it beyond basic protection. No matter how well a NAT is configured, it won't offer the same protection as a semi-decently configured firewall and, as has been pointed out, it's only one-way protection and all outgoing connections aren't blocked in any way.Quote:
Originally Posted by watercooled
I see what you mean about software firewalls now, but going by the same logic if that machine is compromised, then your NAT isn't going to prevent any kind of outgoing connection and worse still, the NAT won't offer any kind of internal protection either so theoretically that compromised machine could infect others on the network - NAT doesn't even come into it at that point, whereas a firewall would still govern what can and cannot communicate with each other and if configured correctly, will probably block that machine from spamming and generally getting up to no good.
Don't worry about routers going the way of the dinosaur, Wifi will ensure that routers still have a place within the home (And from my own experience, most people own routers FOR wifi rather than anything else - including NAT) for many years to come. Plus, the idea behind IPv6 is that ISP's are meant to give each customer a small block of addresses rather than just 1. It remains to be seen if this is ever the case, but if it does happen then a router of some kind will still make sense.
You're right about the Virgin MAC address thing there, but be careful as Virgin has a limit to the number of MAC addresses that will be assigned to a MODEM (If I recall correctly, it used to be 4, it might be more or less now). In other words, if you do that too often in a given period of time, you won't be able to get a new IP address until the list is flushed or you go back to an older MAC (which will give you the address assigned to it).Quote:
Originally Posted by watercooled
There IS a way to flush this from your end, basically disconnect the Coax and let the modem go into "offline" mode (where it'll hand out a 192.x.x.x address instead of a public facing one), then plug the coax back in WITHOUT switching the modem off. Handy trick to know. Of course, most of that is a bit redundant on the newer hubs I think.
Disclosure: I used to work for them.