On 13.03.2014 20:12, Eric Vyncke (evyncke) wrote: > I still wonder why people REALLY believe in the security of NAT (in the > sense of blocking inbound connections) in 2014 while most of the botnet > members are behind a NAT...
I really don't know what this has to do with Toredo or IPv6, but well... Blocking inbound connections will save your host from remote exploits of its network services, but not from getting infected by malicious websites or email attachments. This is out of the scope of the common RG. And this has nothing to do with AVM, Technicolor or any other RG manufacturer, last time I checked Cisco RGs did just the same. > Christopher and others => you are RIGHT! Do not change your mind Right abouth _what_? You provided not a single reason for the described behaviour, i.e. the missing fallback to native IPv6. > -éric (see also > http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 for > my point of view :-)) I liked especially this section "5. Security Considerations" where it says "The policy addresses the major concerns related to the loss of stateful filtering imposed by IPV4 NAPT when enabling public globally reachable IPv6 in the home." and "This set of rules cannot help with the following attacks: [...] Malware which is fetched by inside hosts on a hostile web site (which is in 2013 the majority of infection sources)." This approach seems a little too bold to me, and the lack of incidents may just be caused by the lack of attacks via IPv6, but if it works for Swisscom, good for them. Jakob