I cant imagine how much "fun" its going to be trying to lock down a governments systems when every single device on their network is potentially reachable directly from China...
> having a private ip = definately not publicly reachable.
> having a public ip = possibly reachable, depending on what other devices can be compromised on the network.
Lateral movement is hacking 101. Private IPs don't provide any security.
Got a webserver open to the internet and a database server on a private IP only accessible to the web server? Guess how you get to the database server?
You seem to be continually conflating something having a public IP address and it being open to the internet raw dogging it. This is not how things work.
good job all the networks cables are glued in and no one ever plugged a cable into the wrong port, or doing so might result in all the devices behind that firewall getting exposed directly to the internet and no one noticing because everything still works.
but Im done burning karma on this one, good luck have fun.
> good job all the networks cables are glued in and no one ever plugged a cable into the wrong port, or doing so might result in all the devices behind that firewall getting exposed directly to the internet and no one noticing because everything still works.
So just put your database server on an IPv6 ULA (which is not globally routable)? There are other benefits to that, too, you know? Like that you can have a completely static address for the server, which is agnostic to whatever IPv6 prefix gets assigned by your upstream provider.
did the unpaid intern do that before or after the insecure database server accidentally got given a public ip address?
did they also check and update that old office use only IIS server no one uses before the department all got public ips, or wasn't there a lunch budget for that.
Good job not even attempting to secure your office switch ports with whitelisted MACs or whatever, then.
And if you then argue that MACs can be spoofed easily, well, you'd have to get the MAC of the authorised system first. And by that time you've physically broken into the building - you have worse problems than a rogue device or two...
>having a private ip = definately not publicly reachable.
What component of your router prevents a packet with destination IP 192.168.1.2 arriving on the WAN interface from crossing over to the LAN interface and reaching a LAN machine with that IP? Hint: It's the same one that prevents IPv6 packets from making that same crossing.
nothing stops 192.168.1 crossing a wan interface, in fact I and most of the internet rely on being able to do exactly that, the router just needs an appropriate route in its routing table.
set router to an allowlist configuration... and you're done. it's your "NAT" security but without terribleness. some (consumer/smb) routers even come this way out of the box to prevent exactly what you mention
add a software router to the network that hands out public ips to all the devices on the network.
or better, just accidentally switch a cable over from the router to the routers switch, see if anyone notices their private ips all became public ones.
if we're branching in to 'what other devices can be compromised' then that's a concern for any network 'private' IP or not. for example, even on a NATted v4 network if you get the right device (say if it's 'port forwarded', or you get malware on it another way (social engineering) you can pivot that way to another point in the network.
you can supply all the ACLs and firewalling to your heart's content on either private or public, it's just that public addresses have a heck of a lot less shitfuckery when you actually want to do useful things across the internet
if by "heck of a lot less shitfuckery" you mean "makes it a lot easier to exfiltrate all the data on a network" I completely agree, that was pretty much my point.
You seem to fail to grasp that it is the statefulness of NAT that provides security, not the private/public IP distinction. The same statefulness can be obtained by using... surprise, surprise, a stateful firewall. :-D
It is helpful to imagine NAT as a stateful firewall with packet modifying capabilities. Because that's what it is.
If your ISP is doing CGNAT, try pinging random 100.64.0.0/10 addresses. Marvel at the number of pongs you can receive. Hell, we even have online threads talking about this, so it can't be just my ISP being incompetent [0].
My very publically available home server (static IPv6 address, AAAA record) is behind two firewalls. The first is the ISP-supplied router. That handles any attempted connection to any address on its /64 subnet.
The second is UFW on the server itself + fail2ban.
The open ports are 22 and 443.
It's basically as secure as it gets apart from not having it public at all. Public IP != open for all connections on all ports...
Better call up cloudflare and tell them no one wants their business now all the network engineers are as competent and equipped to deal with threats as they are.
Cloudflare's main business is being a CDN that can soak hundreds of gbps in bandwidth of DDoS traffic. Nothing to do with competence, though in your other comments you suggested that plugging things into different switch ports would give them new IPs and make things publicly routable so perhaps you're right to keep using Cloudflare.
and how do you enforce using that firewall rule on tens of thousands of devices, each now with several public and private ips and several thousand routes in and out of the network?
A stateful firewall is prerequisite for NAT implementations commonly deployed in most office and consumer settings due to the session tracking requirement. So you just stop doing the NAT part and the firewall continues to deny untracked ingress connections just like it did when NAT was running.
NAT is only needed if you want to transition from a private network to a public one.
ipv6 still needs nat configuring. nothing changes there.
The only thing that changes from a network administrator perspective is it becomes much harder to ensure devices that should only have a private ip address do not have a public one.
This feels like FUD. You can still assign a block of ipv6 as internal to your network and put it behind a bastion. Forcing ipv6 isn’t the same as going zero trust or something where now everything is publicly routable.
you do know single network devices can have more than one ip address?
afaics, the biggest issue with ipv6 is if its active all devices on a network can easily be coaxed to never route traffic anywhere near the router/firewall the network admistrator intended, simply by handing out extra routing info for alternate networks.
> afaics, the biggest issue with ipv6 is if its active all devices on a network can easily be coaxed to never route traffic anywhere near the router/firewall the network admistrator intended, simply by handing out extra routing info for alternate networks.
This is not unique to IPv6.
ARP spoofing is the v4 version of this attack. RA spoofing is the v6 version of the attack. In both cases, the solution is the same: lock down your L2 by enabling MAC / ARP / RA filtering on your switch.
I have 32 IPv4 addresses, how do I utilize them to hack Amazon?
It doesn't matter that you can get IPv6 addresses, you still need to be able to get onto the L2 network of your victim company to be able to mount RA attacks. You also will somehow need to force them to announce your IPv6 space to their peers.
with IPv4 you cant really, because getting traffic routed to those ips is a major undertaking.
with IPv6, every IPv6 capable device is potentially capable of handing out something like the entire IPv4 space of public ip addresses regardless of how a single firewall or router is configured.
"trying to configure connectivity and access resources using only IPv6 addresses is borderline insane"
what difference do you think it makes who controls the public ipv6 address.
with ipv6, they got one, all devices on the network are now by default accessible from the public internet instead of invisible to it . Thats the whole point of ipv6.
