> SIP was initially released in 1999, and was designed with the assumption that each device has its own globally routable public IP address. After all, the IPv6 standard was released back in 1995, and NAT would soon be a thing of the past…right? Unforunately, this did not end up being the case.
AFAIK, most residential and commercial ISPs these days do assign customers both a dynamically-DHCP-leased IPv4 address, and a static, globally-routable IPv6 prefix — usually a /64, though some are nicer than that. If you put your ISP's gateway router into bridge mode, and then plugged your computer directly into it — then your device would acquire both an IPv4 and an IPv6 address.
But routers — including ISP gateway routers — insist on doing NAT not only for IPv4, but also for IPv6 (using the fe80:: prefix.) So on any regular home or office network, devices are going to acquire private-use IPv4 and IPv6 addresses.
Is there some reason that modern routers don't do NAT for IPv4, while just further splitting+assigning the received prefix for IPv6, such that every device on the network receives a private IPv4 addr, but a public IPv6 prefix, e.g. a /72?
I know that Internet-backbone network switches ignore the last 64 bits of IPv6 in their routing tables; but those bits are still being carried in the IPv6 packets, and once they reach your home router, it can make use of them to route to the final destination (i.e. one of the devices behind it.) Wasn't this supposed to be the idea?
> But routers — including ISP gateway routers — insist on doing NAT not only for IPv4, but also for IPv6 (using the fe80:: prefix.) So on any regular home or office network, devices are going to acquire private-use IPv4 and IPv6 addresses.
Maybe I'm misunderstanding your comment, but fe80:: is a link-local address and used by devices to talk to each other on the network. It's there by default when IPv6 is enabled.
Most ISPs that support IPv6 will provide a /56 to the router, and then the router will assign a /64 to wifi. Then the clients get an IPv6 address using DHCPv6 or a route announcement.
Unfortunately most VoIP providers do not support IPv6. voip.ms, which I use, for example, does not.
where dyn.example.org is a dyndns that I use that points to my home Asterisk server, on a dynamic IPv4 address. My ISP does change my IPv4 address rather often, and sometimes I have to restart asterisk for the change to be effective.
A lot of people expect a stateful firewall blocking incoming connections on their local network. Applying the same NAT system that is used for IPv4 to IPv6 is probably the best way to get this layer of security.
Now in theory most devices should be safe to connect to the internet. But how many Internet of Shit devices are there in the average household that probably shouldn't be trusted? Crappy security cameras with 10 year old firmware written by the lowest bidder as well as "smart" thermostats that probably aren't much better.
So maybe keeping the stateful firewall by default is the best option.
> Applying the same NAT system that is used for IPv4 to IPv6 is probably the best way to get this layer of security.
...why? Routers have (stateful) firewalls, entirely separate from their NAT-ing abilities. You can still have the firewall without the NAT. (And the protocols that IoT devices rely on, like UPnP, are technically protocols for manipulating firewall rules, not NAT port-forwarding rules; so they still work fine without NAT in place.)
> But how many Internet of Shit devices are there in the average household that probably shouldn't be trusted?
I'm not sure about IPv4, but in IPv6 a given single logical interface can acquire multiple IPv6 addresses — meaning that your laptop or phone will have both a public global IPv6 address, and a link-local fe80:: IPv6 address. And things like multicast, DHCP discovery, etc. will only be attempted or accepted through that link-local address.
Now imagine a router that combines that firewall rule, with a bit of logic to automatically assign devices that join the AP, to separate VLANs, depending on their MAC address vendor part. So laptops and phones go on the "home" VLAN, while IoT devices go on the "sandboxed" VLAN. Where these VLANs are peered, but with stateful firewall rules between them: "sandboxed" devices don't get to speak to "home" devices, unless the "home" device speaks to them first; and multicast packets from "home" devices won't reach "sandboxed" devices.
In other words, a home-network gateway-router should have all the same defaults that an IaaS-tenant VPC does: nodes on the network have public-routable IPs; but all inbound ports to them are closed unless a device asks; and traffic flowing between those devices can only be seen by other devices intentionally put into that same VLAN, not by other "tenants" who happen to be sharing the same pipes.
> A lot of people expect a stateful firewall blocking incoming connections on their local network.
Totally! That's why that's the default setting for almost every router out there.
> Applying the same NAT system that is used for IPv4 to IPv6 is probably the best way to get this layer of security.
No? The default firewall rules will work just fine.
> So maybe keeping the stateful firewall by default is the best option.
Agreed. That's why routers ship with fully-closed firewalls for both IPv4 and IPv6. Incoming connections need firewall exceptions, either manually or through UPnP depending on how you've configured your network.
In fact, because of NAT issues like NAT slipstreaming, an IPv6 firewall is even more closed off than any IPv4 firewall that needs to let through FTP(S), SIP, and many other protocols depending on both sides of the connection using IPv4 as designed.
My quite basic free router from my ISP does exactly that. It plugs into the UTP port on the fiber termination box (no idea how to call that) and handles DHCP for ipv4, while allowing ipv6 auto configuration using a /64 for all devices behind. Seems to work out of the box for both Windows and Apple devices. Only thing is that it automatically firewalls all incoming connections on both v4 and v6, but I think that's a very good default for an ISP device for home use. Especially since everyone is so used to v4 being NATed.
AFAIK, most residential and commercial ISPs these days do assign customers both a dynamically-DHCP-leased IPv4 address, and a static, globally-routable IPv6 prefix — usually a /64, though some are nicer than that. If you put your ISP's gateway router into bridge mode, and then plugged your computer directly into it — then your device would acquire both an IPv4 and an IPv6 address.
But routers — including ISP gateway routers — insist on doing NAT not only for IPv4, but also for IPv6 (using the fe80:: prefix.) So on any regular home or office network, devices are going to acquire private-use IPv4 and IPv6 addresses.
Is there some reason that modern routers don't do NAT for IPv4, while just further splitting+assigning the received prefix for IPv6, such that every device on the network receives a private IPv4 addr, but a public IPv6 prefix, e.g. a /72?
I know that Internet-backbone network switches ignore the last 64 bits of IPv6 in their routing tables; but those bits are still being carried in the IPv6 packets, and once they reach your home router, it can make use of them to route to the final destination (i.e. one of the devices behind it.) Wasn't this supposed to be the idea?