Security Breaches with NAT64?

February 17, 2016 | Views: 2309

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

I wrote this article to support all our colleagues around the world who are testing or deploying IPv6 on their networks.

Recently, my team and I have been working on a lab to deploy IPv6 in our office. We finally succeed on getting an IPv6 network communicating with an IPv4 network and with the internet (it seems easy, but it took us 3 days of reading and testing).

We made this with a UTM firewall using a NAT64. Everything went well until we stopped trying to halt the traffic going to internet (IPv6 Network -> IPv4 Internet). When we configured the security policies, they didn’t stop the traffic. We started to research and noticed that there were no logs for the traffic except for the NAT64 communication.

We also tried to block all the traffic – no matter what application, source port, destination port, source IP, or destination IP. Guess what? The traffic still went through. Even if we made a traffic decryption (with a man in the middle attack), we didn’t see anything out of tcp80, tcp443 or udp443.

It seems that in some devices, the NAT64 rule bypasses any kind of security policy. This is a big red alarm for security developers. We already talked with the manufacturer’s engineering team and they’re going to search for a solution to this problem.

The biggest problem is that, if we can’t control and identify any kind of traffic that is exiting our LAN, how could we take care of attacks coming from the outside using IPv6?

For specific reasons I can’t share what firewall we’re using in the lab. Instead, I invite you to make a testing lab and see if your firewall vendor can really detect IPv6 traffic (not only IPv6 to IPv6, but IPv6 to IPv4).

Hope this helps network engineers, security engineers, developers, vendors, etc. to harden their security. When we finally get to an IPv6 world, it can be a safe one.

Mario Sanchez Novelo





Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. As feedback, we are still working in the issue, we try with another vendor and it seems that is a general problem, the development engineers of the 2 vendors which we work with are trying to find out if it´s an operating sistem problem or if it is the way the firewalls are managing the packets.

  2. Hi Momen Fathi,

    Thanks for the info, the problem is that the transaction mechanism is done by the same firewall that can´t log the security data or block the packages, I´ll read the RFC that you send me in order to check if there is something missing.

    Coz in a traditional NAT done by a firewall you can intercept the translated data from one side or another.

    Thanks for the help! If I have any news I´ll post them!

  3. I prefer you to read this document..

    i guess u will find something cause i think there is something missing ..
    u can’t intercept a translated data from one side

    u need to be inside the transition mechanize and log it .. or at least that my imagination said .

    I hope it Help 🙂

  4. This contribution is part of a work done with Elodin17 a co-worker and I would like to thank her very much!!

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?