IoT as motivator for NAT in IPv6

    TL; DR: the author is sad that in the upcoming happy IPv6 future, the only acceptable alternative to the huge IoT botnets is the good old NAT on IPv6. Unfortunately, of course.

    Let me reveal the cards right away: my opinion and examples will be based on my experience in a regional telecom operator with several tens of thousands of subscribers, individuals and legal entities. One region of presence, Central Federal District.

    Problem


    It is that users in their majority do not care about security. Any user wants to use a computer or smartphone and not really bother. Any words from the telecom operator that his computer is involved in attacks or does something bad does not take the user seriously.

    Why? Because there are no consequences.

    I'm serious. Even if cybercriminals commit something terrible through access to the Internet on behalf of this user, hanging it on the user will be quite difficult.

    As a result, any message from the operator that the user has something wrong is perceived as an attempt to earn additional money from him, the user.

    Does the operator need to solve this problem?


    Yes and no. When you see on the graph that about 20% of your outgoing DNS queries are involved in a DNS watertorture attack, then of course you want to solve this. You get a list of infected machines, there will be not so many, but nothing more. Examples:

    1. Municipal institution. The system administrator is absent as a class, somehow working through and through infected computers. They pay for the Internet, so disconnecting them is somehow strange, from the point of view of the operator.

    2. Point of sale. A huge number of sellers have access, obviously someone managed to infect. To cure? Yes, but no one will do it for free. Extra costs. No, thanks.

    You can continue, there are many such stories. Disconnect such subscribers from the network? Well, this means that you need to step on the throat of your own revenue.

    What about IPv6?


    IPv6 fanboys who didn’t even smell the dual stack in real life usually like to scream with foam at the mouth that “In IPv6 NAT is nuzhuin !!!! 111”.

    Alas, even in the IPv4 world, only NAT saves us from shit flows. Do you want examples? I have them.

    So, we take and scan our internal network using Router Scan. What do we get? Well, in my case, 739 vulnerable routers. Some of them are incorrectly configured. Some of them have vulnerabilities in firmware. Never mind. Another thing is important, these are 739 tasty goals.

    When IPv6 arrives without NAT, which is completely unnecessary there, it will become clear that a huge number of IoT devices (with the letter S denoting security) were made in China by Uncle Liao. The software developers for these devices had a very distant idea of ​​security. Left open telnet with a weak password. Well and so on.

    And you know what will happen next when the IoT goes to the masses in the regions? When will any Zinaida Semenovna be able to buy 5-10 devices for her excellent two-room Khrushchev? IPv6 with a white address will help these devices work faithfully for the glory of their master botvod. And by that time, through the efforts of marketers, Zinaida Semenovna could take 300-400 megabits per second of bandwidth for herself and the children. The charm!

    Well, you just need to use the firewall!


    Yes, a brilliant idea! I agree, where to sign? True, one difficult moment. And to whom to configure it?

    To the user? Which just knows how to press a button and "to work"? The user will not do this, DDoS from his devices, as we have already found out, is not his problem.

    To the operator? The operator is already full of headache. Therefore, the most convenient statefull-firewall = NAT. No matter how strange it may sound or look. And yes, of course, the operator is forced to use it even now. Many ACL operators have a ban on traffic on the 13x port towards the user.

    In addition, the firewall implies some way of recognizing "friend or foe." Well, at least on source IP. What is impossible in our conditions is an Internet cafe, 3G-LTE and that's all.

    Therefore, all these excellent recommendations “use a firewall, not NAT” are broken against the wall of reality.

    Maybe something else?


    Yes, there is another option. When the operator closes Level 3 and becomes Level 2 provider. There are such ones in Russia, but not many. And it uses a virtual router, that is, it controls all the subscriber’s traffic, giving him some ways to control this, for example, through the application on the phone or the web interface.

    But this is not the easiest option, which is why the topic of vCPE in Russia is not developing so quickly.

    In the profile Telegram chat, they correctly assumed that, sooner or later, operators will begin to filter SYN packets towards the subscriber. Yes, but this is certainly a dead end.

    The author will be happy to hear any suggestions on this subject, constructive criticism, as well as new solutions. And yes, someone, be sure to write in the comments that NAT is not needed in IPv6.

    Are there still drop dead stories?


    I’ll leave one, finally. At some point, monitoring is triggered and we see about 7 thousand DNS queries from our network outside instead of the usual 1.5. Cause? One of the customers turned on 4 Chinese IP cameras. Curtain.

    Also popular now: