On 03/20/2016 11:36 AM, Xen wrote:
By the way, if UPnP was ever a problem in terms of NAT security,
obviously the problem is much worse in IPv6, since there is not even
any NAT and all devices are always exposed.
"Addressable" is NOT the same thing as "exposed". Any sane IPv6 router
for the home (every one I have have seen so far) blocks all incoming
connections by default - just like NAT effectively does. There is no
operational difference for the clueless home owner. With a consumer
firewall, selected ports can be "forwarded" through IP4 NAT to a
selected internal IP. Similarly, selected ports can be unblocked for
selected internal objects with an IP6 firewall.
The only semi-valid criticism is that with IP4 NAT, the effective 48 bit
(IP+ random 16 bit port) public address is periodically recycled to
point to different internal objects. With IP6 sans NAT, the 128-bit
(Subnet + random 64 bit host ip) public address, while random and
periodically changing like IP4 NAT, is not recycled. A given IP only
ever points to a single internal object. This could potentially reveal
more information to someone logging IP+port on the outside. But it is
not yet clear what exactly it would gain them.
_______________________________________________
networkmanager-list mailing list
networkmanager-list@gnome.org
https://mail.gnome.org/mailman/listinfo/networkmanager-list