First and foremost, there is nothing to fear from being on a public IP allocation, so long as your security devices are configured right.
What should I be replacing NAT with, if we don't have physically separate networks?
The same thing we've been physically separating them with since the 1980's, routers and firewalls. The one big security gain you get with NAT is that it forces you into a default-deny configuration. In order to get any service through it, you have to explicitly punch holes. The fancier devices even allow you to apply IP-based ACLs to those holes, just like a firewall. Probably because they have 'Firewall' on the box, actually.
A correctly configured firewall provides exactly the same service as a NAT gateway. NAT gateways are frequently used because they're easier to get into a secure config than most firewalls.
I hear that IPv6 and IPSEC are supposed to make all this secure somehow, but without physically separated networks that make these devices invisible to the Internet, I really can't see how.
This is a misconception. I work for a University that has a /16 IPv4 allocation, and the vast, vast majority of our IP address consumption is on that public allocation. Certainly all of our end-user workstations and printers. Our RFC1918 consumption is limited to network devices and certain specific servers where such addresses are required. I would not be surprised if you just shivered just now, because I certainly did when I showed up on my first day and saw the post-it on my monitor with my IP address.
And yet, we survive. Why? Because we have an exterior firewall configured for default-deny with limited ICMP throughput. Just because 140.160.123.45 is theoretically routeable, does not mean you can get there from wherever you are on the public internet. This is what firewalls were designed to do.
Given the right router configs, and different subnets in our allocation can be completely unreachable from each other. You do can do this in router tables or firewalls. This is a separate network and has satisfied our security auditors in the past.
There's no way in hell I'll put our billing database (With lots of credit card information!) on the internet for everyone to see.
Our billing database is on a public IPv4 address, and has been for its entire existence, but we have proof you can't get there from here. Just because an address is on the public v4 routeable list does not mean it is guaranteed to be delivered. The two firewalls between the evils of the Internet and the actual database ports filter out the evil. Even from my desk, behind the first firewall, I can't get to that database.
Credit-card information is one special case. That's subject to the PCI-DSS standards, and the standards state directly that servers that contain such data have to be behind a NAT gateway1. Ours are, and these three servers represent our total server usage of RFC1918 addresses. It doesn't add any security, just a layer of complexity, but we need to get that checkbox checked for audits.
The original "IPv6 makes NAT a thing of the past" idea was put forward before the Internet boom really hit full mainstream. In 1995 NAT was a workaround for getting around a small IP allocation. In 2005 it was enshrined in many Security Best Practices document, and at least one major standard (PCI-DSS to be specific). The only concrete benefit NAT gives is that an external entity performing recon on the network doesn't know what the IP landscape looks like behind the NAT device (though thanks to RFC1918 they have a good guess), and on NAT-free IPv4 (such as my work) that isn't the case. It's a small step in defense-in-depth, not a big one.
The replacement for RFC1918 addresses are what are called Unique Local Addresses. Like RFC1918, they don't route unless peers specifically agree to let them route. Unlike RFC1918, they are (probably) globally unique. IPv6 address translators that translate a ULA to a Global IP do exist in the higher range perimeter gear, definitely not in the SOHO gear yet.
You can survive just fine with a public IP address. Just keep in mind that 'public' does not guarantee 'reachable', and you'll be fine.
2017 update
In the past few months, Amazon aws has been adding IPv6 support. It has just been added to their amazon-vpc offering, and their implementation gives some clues as to how large scale deployments are expected to be done.
- You are given a /56 allocation (256 subnets).
- The allocation is a fully routeable subnet.
- You are expected to set your firewall-rules (security-groups) appropriately restrictive.
- There is no NAT, it's not even offered, so all outbound traffic will come from the actual IP address of the instance.
To add one of the security benefits of NAT back in, they are now offering an Egress-only Internet Gateway. This offers one NAT-like benefit:
- Subnets behind it can't be directly accessed from the internet.
Which provides a layer of defense-in-depth, in case a misconfigred firewall rule accidentally allows inbound traffic.
This offering does not translate the internal address into a single address the way NAT does. Outbound traffic will still have the source IP of the instance that opened the connection. Firewall operators looking to whitelist resources in the VPC will be better off whitelisting netblocks, rather than specific IP addresses.
Routeable does not always mean reachable.
1: The PCI-DSS standards changed in October 2010, the statement mandating RFC1918 addresses was removed, and 'network isolation' replaced it.
Use both IPv4 and IPv6
You should use both IPv4 and IPv6 addresses.
Nearly everyone on the Internet currently has an IPv4 address, or is behind a NAT of some kind, and can access IPv4 resources.
However, at the time of writing only about 0.7% 2.3% 3.8% 6.5% 9% 12% 19% 22% 26% 32% of the Internet is IPv6 capable, but that number is steadily growing as IPv6 begins to roll out worldwide.
In a very few places, ISPs are providing primarily IPv6 or only IPv6 to residential customers and using large scale NAT, NAT64 or other such solutions for IPv4 connectivity. This number is expected to grow as IPv4 address space is finally exhausted. These users will typically have better performance over IPv6.
Where ISPs have deployed large scale NAT to solve IPv4 exhaustion, users stuck with this will suffer reduced reliability of all their Internet connections due to the connection limits inherent in the large scale NAT gateways. For instance, a web page might only load some but not all of its resources, leaving broken icons where images should be, missing styles and scripts, etc. This is similar to connection limit exhaustion on a home router, but affecting all users of the ISP intermittently and seemingly randomly. If you want your site to be reliable for these users, you must serve it via IPv6 (and the ISP must have deployed IPv6).
Since IPv6 is where the Internet is going, having your web site IPv6 enabled now puts you ahead of the game and lets you resolve any problems long before they become serious.
Configure nginx
By default with Linux and nginx, you can bind to both IPv4 and IPv6 at the same time by changing your listen
directives to:
listen [::]:80;
listen 80;
Or, for SSL sites:
listen [::]:443 ssl;
listen 443 ssl;
Best Answer
You are asking whether IPv4 “fails over” to IPv6 when IPv4 is unavailable. Yes, it sort of does if you look at it from the wrong angle, but it is actually the other way around.
When IPv6 is enabled, it is preferred over IPv4. So in actual fact, IPv4 doesn’t “fail over” to IPv6. Rather, if IPv6 is unavailable, it “fails over” to IPv4.
Your question asks specifically about IPv6 mail servers, but this behaviour is universal. HTTP, FTP, IMAP, you name it. If a website is both IPv6– and IPv4–enabled, your browser will prefer the IPv6 version (assuming you have IPv6 connectvity). If you are sending mail to an IPv6–enabled mail server, it will go over IPv6.
(As to whether it will try again over IPv4 if your IPv6 fails I cannot answer at this stage — not tested it myself, unfortunately. If this is an issue, you could use two MX records — one that points to an IPv6–only hostname, and one to an IPv4–only hostname.)
If you IPv6–enable your mail server, but still keep IPv4 enabled (e.g. on Postfix you would set
inet_interfaces = all
, notinet_interfaces = ipv6
), then you will be able to send mail to IPv4 and IPv6 mail servers, as well as receive mail from IPv4 and IPv6 sources.This wasn’t part of your question, but does pertain to IPv6 mail servers: currently none of the major DNSBLs (e.g. Spamhaus) support IPv6. While I haven’t seen a single piece of spam originating from an IPv6 address, be aware that the only spam preventative measures you can take are keyword–based.