You are assuming (as many, many people do) that public addresses equal no firewall, and that IPv6 CPEs will have no stateful firewalling.
The thing is, just as they have a stateful firewall now for IPv4 they will have one for IPv6 as well. The fact that your addressing is public (or let's say, routeable) does not make a difference. Again, it is not the NAT layer of your IPv4 CPE that protects you, it's the stateful firewall. regards Carlos On Thu, Aug 11, 2011 at 2:52 PM, Greg Ihnen <os10ru...@gmail.com> wrote: > > On Aug 11, 2011, at 1:04 PM, Owen DeLong wrote: > >> >> On Aug 11, 2011, at 5:41 AM, Jamie Bowden wrote: >> >>> Owen wrote: >>> >>>> -----Original Message----- >>>> From: Owen DeLong [mailto:o...@delong.com] >>>> Sent: Wednesday, August 10, 2011 9:58 PM >>>> To: William Herrin >>>> Cc: nanog@nanog.org >>>> Subject: Re: IPv6 end user addressing >>>> >>>> >>>> On Aug 10, 2011, at 6:46 PM, William Herrin wrote: >>>> >>>>> On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong <o...@delong.com> >>> wrote: >>>>>>> Someday, I expect the pantry to have a barcode reader on it >>>> connected back >>>>>>> a computer setup for the kitchen someday. Most of us already use >>>> barcode >>>>>>> readers when we shop so its not a big step to home use. >>>>>> >>>>>> Nah... That's short-term thinking. The future holds advanced >>>> pantries with >>>>>> RFID sensors that know what is in the pantry and when they were >>>> manufactured, >>>>>> what their expiration date is, etc. >>>>> >>>>> And since your can of creamed corn is globally addressable, the rest >>>>> of the world knows what's in your pantry too. ;) >>>>> >>>> >>>> This definitely helps explain your misconceptions about NAT as a >>>> security tool. >>>> >>>> >>>> Globally addressable != globally reachable. >>>> >>>> Things can have global addresses without having global reachability. >>>> There are >>>> these tools called access control lists and routing policies. Perhaps >>>> you've heard >>>> of them. They can be quite useful. >>> >>> And your average home user, whose WiFi network is an open network named >>> "linksys" is going to do that how? >>> >> >> Because the routers that come on pantries and refrigerators will probably be >> made by people smarter than the folks at Linksys? >> >> Owen >> >> > > I respectfully disagree. If appliance manufacturers jump on the bandwagon to > make their device *Internet Ready!* we'll see appliance makers who have way > less networking experience than Linksys/Cisco getting into the fray. I highly > doubt the pontifications of these Good Morning America technology gurus who > predict all these changes are coming to the home. Do we really think > appliance manufacturers are going to agree on standards for keeping track of > how much milk is in the fridge, especially as not just manufacturing but also > engineering is moving to countries like China? How about the predictions that > have been around for years about appliances which will alert the manufacturer > about impending failure so they can call you and you can schedule the repair > before there's a breakdown? Remember that one? We don't even have an > "appliance about to break, call repairman" idiot light on appliances yet. > > But I predict the coming of IPv6 to the home in a big way will have > unintended consequences. > > I think the big shock for home users regarding IPv6 will be suddenly having > their IPv4 NAT firewall being gone and all their devices being exposed naked > to everyone on the internet. Suddenly all their security shortcomings (no > passwords, "password" for the password etc) are going to have catastrophic > consequences. I foresee an exponential leap in the number of hacks of > consumer devices which will have repercussions well beyond their local > network. In my opinion that's going to be the biggest problem with IPv6, not > all the concerns about the inner workings of the protocols. I'm guessing the > manufacturers of consumer grade networkable devices are still thinking about > security as it applies to LANs with rfc 1918 address space behind a firewall > and haven't rethought security as it applies to IPv6. > > Greg > -- -- ========================= Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =========================
