Linux – IPv6 and NAT, routing to multiple ISPs

ipv6linuxlinux-networkingnat;routing

Currently I have a nice setup using private IPv4 address space and uplinks from two ISPs to the Internet. Thanks to NAT I can just take down one of the interfaces and the Internet access is still there.

I've been thinking how to duplicate this configuration in IPv6. From what I read is that "NAT is dead", I really glad for that, I don't like it (and sometimes outright hate it), but it has its uses.

To put some perspective in: this is a small company, 3 dozen computers in network, we don't have budget for fancy links with SLA and BGP support. So I think that our own IPv6 subnet from RIPE-NCC won't work.

On the other hand, having two independent links is more than useful. Is there a way to do a 1-to-1 NAT in IPv6 (I'm using Linux machine as a router)? How do I do it? Will it allow me to continue using two ISPs (provided that they both support IPv6).

When I get a subnet from my ISP I need to have an IP address facing the Internet (to be able to route packets to my ISP) and a second one facing my LAN. In IPv6 both should be routable. Doesn't this mean I have to get at least 2 subnets from my ISP? Or ISPs are required to provide a /48 subnet not only two /64 subnets? (And dedicate first /64 subnet to intra router communication.) What to do if I get only a single /64 subnet from ISP?

To summarize:

Questions

Can I do 1-to-1 NAT in IPv6 in Linux? How do I do it?
Do I need to receive at least two /64 subnets to comfortably set up routing in LAN behind firewall?
Is there a way to have public addresses in my LAN if I get a single /64 subnet from my ISP?

Best Answer

Without BGP and 'business class' ISPs multihoming isn't going to work for you. It is possible to do 1-to-1 NAT with IPv6. I don't know how to configure it on Linux though. There is another way though:

You will get a prefix from both ISPs. Probably a /56 or a /48. It doesn't really matter in this case if the link to the ISP gets it's own addresses or not. IPv6 can work perfectly with unnumbered uplinks. What you then do is to connect a router from each ISP to your LAN, and both should advertise a /64 from their own ISP on your LAN. So all your systems get (at least) two public IPv6 addresses: one from each ISP. You can give the advertisements of your primary ISP a higher priority. When the link to the ISP goes down the corresponding router should withdraw its advertisement and your systems will start using the other link.

The only downside is when one ISP doesn't accept packets with a source address from the other ISP. If that is the case then the routers should check the source address and forward traffic with the wrong source address to the other router.

If you only get a single /64 from your ISP then you can use that on your LAN. They should give you more than that though. A /48 used to be the standard for many years, a /56 is becoming more normal these days, but you should definitely get more than a /64.

Route tables

First edit the /etc/iproute2/rt_tables to add a map between route table numbers and ISP names

...
10 ISP1
20 ISP2
...

So table 10 and 20 is for ISP1 and ISP2, respectively. I need to populate these tables with routes from main table with this code snippet (which I have taken from hxxp://linux-ip.net/html/adv-multi-internet.html)

ip route show table main | grep -Ev '^default' \
   | while read ROUTE ; do
     ip route add table ISP1 $ROUTE
done

And add default gateway to ISP1 through that ISP1's gateway:

ip route add default via 192.168.1.2 table ISP1

Do the same for ISP2

So now I have 2 route tables, 1 for each ISP.

Iptables

OK now I use iptables to evenly distribute packets to each route tables. More info on how this work can be found here (http://www.diegolima.org/wordpress/?p=36) and here (http://home.regit.org/?page_id=7)

# iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
# iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
# iptables -t mangle -A PREROUTING -j MARK --set-mark 10
# iptables -t mangle -A PREROUTING -m statistic --mode random --probability 0.5 -j MARK --set-mark 20
# iptables -t mangle -A PREROUTING -j CONNMARK --save-mark

NAT

Well NAT is easy:

# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

Switching to IPv6 – Implications of Dropping NAT

First and foremost, there is nothing to fear from being on a public IP allocation, so long as your security devices are configured right.

What should I be replacing NAT with, if we don't have physically separate networks?

The same thing we've been physically separating them with since the 1980's, routers and firewalls. The one big security gain you get with NAT is that it forces you into a default-deny configuration. In order to get any service through it, you have to explicitly punch holes. The fancier devices even allow you to apply IP-based ACLs to those holes, just like a firewall. Probably because they have 'Firewall' on the box, actually.

A correctly configured firewall provides exactly the same service as a NAT gateway. NAT gateways are frequently used because they're easier to get into a secure config than most firewalls.

I hear that IPv6 and IPSEC are supposed to make all this secure somehow, but without physically separated networks that make these devices invisible to the Internet, I really can't see how.

This is a misconception. I work for a University that has a /16 IPv4 allocation, and the vast, vast majority of our IP address consumption is on that public allocation. Certainly all of our end-user workstations and printers. Our RFC1918 consumption is limited to network devices and certain specific servers where such addresses are required. I would not be surprised if you just shivered just now, because I certainly did when I showed up on my first day and saw the post-it on my monitor with my IP address.

And yet, we survive. Why? Because we have an exterior firewall configured for default-deny with limited ICMP throughput. Just because 140.160.123.45 is theoretically routeable, does not mean you can get there from wherever you are on the public internet. This is what firewalls were designed to do.

Given the right router configs, and different subnets in our allocation can be completely unreachable from each other. You do can do this in router tables or firewalls. This is a separate network and has satisfied our security auditors in the past.

There's no way in hell I'll put our billing database (With lots of credit card information!) on the internet for everyone to see.

Our billing database is on a public IPv4 address, and has been for its entire existence, but we have proof you can't get there from here. Just because an address is on the public v4 routeable list does not mean it is guaranteed to be delivered. The two firewalls between the evils of the Internet and the actual database ports filter out the evil. Even from my desk, behind the first firewall, I can't get to that database.

Credit-card information is one special case. That's subject to the PCI-DSS standards, and the standards state directly that servers that contain such data have to be behind a NAT gateway¹. Ours are, and these three servers represent our total server usage of RFC1918 addresses. It doesn't add any security, just a layer of complexity, but we need to get that checkbox checked for audits.

The original "IPv6 makes NAT a thing of the past" idea was put forward before the Internet boom really hit full mainstream. In 1995 NAT was a workaround for getting around a small IP allocation. In 2005 it was enshrined in many Security Best Practices document, and at least one major standard (PCI-DSS to be specific). The only concrete benefit NAT gives is that an external entity performing recon on the network doesn't know what the IP landscape looks like behind the NAT device (though thanks to RFC1918 they have a good guess), and on NAT-free IPv4 (such as my work) that isn't the case. It's a small step in defense-in-depth, not a big one.

The replacement for RFC1918 addresses are what are called Unique Local Addresses. Like RFC1918, they don't route unless peers specifically agree to let them route. Unlike RFC1918, they are (probably) globally unique. IPv6 address translators that translate a ULA to a Global IP do exist in the higher range perimeter gear, definitely not in the SOHO gear yet.

You can survive just fine with a public IP address. Just keep in mind that 'public' does not guarantee 'reachable', and you'll be fine.

2017 update

In the past few months, Amazon aws has been adding IPv6 support. It has just been added to their amazon-vpc offering, and their implementation gives some clues as to how large scale deployments are expected to be done.

You are given a /56 allocation (256 subnets).
The allocation is a fully routeable subnet.
You are expected to set your firewall-rules (security-groups) appropriately restrictive.
There is no NAT, it's not even offered, so all outbound traffic will come from the actual IP address of the instance.

To add one of the security benefits of NAT back in, they are now offering an Egress-only Internet Gateway. This offers one NAT-like benefit:

Subnets behind it can't be directly accessed from the internet.

Which provides a layer of defense-in-depth, in case a misconfigred firewall rule accidentally allows inbound traffic.

This offering does not translate the internal address into a single address the way NAT does. Outbound traffic will still have the source IP of the instance that opened the connection. Firewall operators looking to whitelist resources in the VPC will be better off whitelisting netblocks, rather than specific IP addresses.

Routeable does not always mean reachable.

¹: The PCI-DSS standards changed in October 2010, the statement mandating RFC1918 addresses was removed, and 'network isolation' replaced it.

Best Answer

Related Solutions

Linux – Load Balancing and NAT-ing Multiple ISP Connections

Route tables

Iptables

NAT

Switching to IPv6 – Implications of Dropping NAT

Related Topic