IoT as a motivator for NAT in IPv6
TL; DR: The author is sad that in the upcoming happy IPv6-future, the only acceptable alternative to the huge IoT botnets is the good old NAT on IPv6. Unfortunately, of course.
Let me immediately reveal the cards: my opinion and examples will be based on experience in a regional telecom operator, which has several tens of thousands of subscribers, individuals and legal entities. One region of presence, the Central Federal District.
It is that users in their majority do not care about security. Any user wants to use a computer or smartphone and not really bother. Any words from the operator that his computer is involved in attacks or does something bad is not taken seriously by the user.
')
Why? Because there are no consequences.
I'm serious. Even if the attackers through the Internet access on behalf of this user do something terrible, it will be quite difficult to hang it on the user himself.
As a result, any message from the operator that something is wrong with the user is perceived as an attempt to earn on it, the user, an additional bubble.
Yes and no. When you see on the chart that about 20% of your outgoing DNS requests are involved in the DNS attack of the watertorture, then of course you want to solve it. You get a list of infected machines, there won't be so many of them, but nothing else. Examples:
You can continue, there are many such stories. Disconnect such subscribers from the network? Well, this means that you need to step on your own revenue.
Fanboys IPv6, which in real life did not even smell a dualstek, usually like to scream at the mouth that "In IPv6 Ninuz NAT !!!! 111".
Alas, but even in the IPv4 world, only NAT is saving us from the stream. Do you want examples? I have them.
So, we take and scan our internal network using Router Scan. What do we get? Well, in my case, 739 vulnerable routers. Some of them are incorrectly configured. Some of them have vulnerabilities in the firmware. Never mind. Another important thing is 739 tasty goals.
When IPv6 comes without NAT, which is completely unnecessary there, it will become clear that a huge number of IoT devices (with the letter S, denoting security) are made in China by Uncle Liao. Software developers for these devices had a very remote understanding of security. Left open telnet with a weak password. Well, and so on.
And you know what will happen next when IoT goes to the masses in the regions? When will any Zinaida Semenovna be able to buy 5-10 devices for her excellent two-room apartment block? An IPv6 with a white address will help these devices work faithfully for the glory of their master bot. And by that time, through the efforts of marketers, Zinaida Semyonovna can take 300-400 megabits per second of bandwidth for herself and the children. Charm!
Yes, brilliant idea! I agree, where to sign? True, one difficult moment. And who set it up?
User? Who just can press a button and “to work”? The user will not do this, DDoS from his devices, as we have already found out, is not his problem.
Operator? The operator is so full of headaches. Therefore, the most convenient statefull-firewall = NAT. No matter how strange it sounds and does not look. And yes, of course, the operator has to use it even now. A lot of operators on ACLs have a ban on traffic on the 13x port in the direction of the user.
In addition, the firewall implies some way of identifying "friend or foe". Well, at least source IP. What is impossible in our conditions, Internet cafes, 3G-LTE and that's it.
Therefore, all these excellent recommendations “use a firewall, not NAT” are broken against the wall of reality.
Yes, there is another option. When the operator closes Level 3 and becomes Level 2 provider. There are such in Russia, but few. And it uses a virtual router, that is, it controls all subscriber traffic, providing it with some ways to control it, for example, through the application on the phone or the web interface.
But this is not the easiest option, which is why the topic of vCPE in Russia is not developing so fast.
In the profile Telegram chat, they correctly assumed that sooner or later the operators would begin to filter SYN packets towards the subscriber. Yes, but this is definitely a dead end.
The author will be glad to hear any suggestions on this subject, constructive criticism, as well as new solutions. And yes, someone, be sure to write in the comments that IPv6 does not need NAT.
Leave one, finally. At some point, monitoring is triggered and we see about 7,000 DNS requests from our network to the outside instead of the usual 1.5. Cause? One client included 4 Chinese IP cameras. A curtain.
Let me immediately reveal the cards: my opinion and examples will be based on experience in a regional telecom operator, which has several tens of thousands of subscribers, individuals and legal entities. One region of presence, the Central Federal District.
Problem
It is that users in their majority do not care about security. Any user wants to use a computer or smartphone and not really bother. Any words from the operator that his computer is involved in attacks or does something bad is not taken seriously by the user.
')
Why? Because there are no consequences.
I'm serious. Even if the attackers through the Internet access on behalf of this user do something terrible, it will be quite difficult to hang it on the user himself.
As a result, any message from the operator that something is wrong with the user is perceived as an attempt to earn on it, the user, an additional bubble.
Does the operator need to solve this problem?
Yes and no. When you see on the chart that about 20% of your outgoing DNS requests are involved in the DNS attack of the watertorture, then of course you want to solve it. You get a list of infected machines, there won't be so many of them, but nothing else. Examples:
1. Municipal institution. The system administrator is absent as a class, somehow working, through infected computers. They pay for the Internet, so disconnecting them is somehow strange, from the point of view of the operator.
2. Point of sale. Access is at a huge number of sellers, obviously someone managed to bring infection. Cure? Yes, but no one will do it for free. Extra expenses. No, thanks.
You can continue, there are many such stories. Disconnect such subscribers from the network? Well, this means that you need to step on your own revenue.
And where is IPv6?
Fanboys IPv6, which in real life did not even smell a dualstek, usually like to scream at the mouth that "In IPv6 Ninuz NAT !!!! 111".
Alas, but even in the IPv4 world, only NAT is saving us from the stream. Do you want examples? I have them.
So, we take and scan our internal network using Router Scan. What do we get? Well, in my case, 739 vulnerable routers. Some of them are incorrectly configured. Some of them have vulnerabilities in the firmware. Never mind. Another important thing is 739 tasty goals.
When IPv6 comes without NAT, which is completely unnecessary there, it will become clear that a huge number of IoT devices (with the letter S, denoting security) are made in China by Uncle Liao. Software developers for these devices had a very remote understanding of security. Left open telnet with a weak password. Well, and so on.
And you know what will happen next when IoT goes to the masses in the regions? When will any Zinaida Semenovna be able to buy 5-10 devices for her excellent two-room apartment block? An IPv6 with a white address will help these devices work faithfully for the glory of their master bot. And by that time, through the efforts of marketers, Zinaida Semyonovna can take 300-400 megabits per second of bandwidth for herself and the children. Charm!
Well, you just need to use the firewall!
Yes, brilliant idea! I agree, where to sign? True, one difficult moment. And who set it up?
User? Who just can press a button and “to work”? The user will not do this, DDoS from his devices, as we have already found out, is not his problem.
Operator? The operator is so full of headaches. Therefore, the most convenient statefull-firewall = NAT. No matter how strange it sounds and does not look. And yes, of course, the operator has to use it even now. A lot of operators on ACLs have a ban on traffic on the 13x port in the direction of the user.
In addition, the firewall implies some way of identifying "friend or foe". Well, at least source IP. What is impossible in our conditions, Internet cafes, 3G-LTE and that's it.
Therefore, all these excellent recommendations “use a firewall, not NAT” are broken against the wall of reality.
Maybe something else?
Yes, there is another option. When the operator closes Level 3 and becomes Level 2 provider. There are such in Russia, but few. And it uses a virtual router, that is, it controls all subscriber traffic, providing it with some ways to control it, for example, through the application on the phone or the web interface.
But this is not the easiest option, which is why the topic of vCPE in Russia is not developing so fast.
In the profile Telegram chat, they correctly assumed that sooner or later the operators would begin to filter SYN packets towards the subscriber. Yes, but this is definitely a dead end.
The author will be glad to hear any suggestions on this subject, constructive criticism, as well as new solutions. And yes, someone, be sure to write in the comments that IPv6 does not need NAT.
And there are some amazing stories?
Leave one, finally. At some point, monitoring is triggered and we see about 7,000 DNS requests from our network to the outside instead of the usual 1.5. Cause? One client included 4 Chinese IP cameras. A curtain.
Source: https://habr.com/ru/post/344708/
All Articles