Re: ipv6 question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 1/3/11 6:44 PM, Robert Nichols wrote:
> On 01/03/2011 06:31 PM, Michael H. Warfield wrote:
>> There is a wide spread myth that NAT and the fact that you are on
>> different addresses some how bestows upon you some measure of security.
>> As a leading security researcher, let me impress upon you that nothing
>> could be further from the truth.  You can security from the inherent
>> statefulness of your common consumer grade NAT but there are other forms
>> of NAT which do not convey this.  Merely the fact that your addresses
>> are mapped do not provide you with any protection.  It's the state
>> engine and the dynamic mapping that do this.  But, SURPRISE, that
>> exactly what's in a stateful firewall.  There is NO intrinsic advantage
>> of NAT over a decent stateful firewall.  None.
>>
>> IPv6 also has a number of security advantages over IPv4, not the least
>> of which are "no broadcast address" and "virtually impossible to
>> comprehensively brute force scan".  That doesn't mean it can't be
>> scanned (the scans have to be more targeted and intelligent),
> ...
>
> The problem that I see is that any system to which I have ever made a
> connection now has a nice, routable IPv6 address back to the machine
> that made the connection and can start probing that machine to see if
> any vulnerable services might have been inadvertently left listening
> on that interface.  No problem if it's a well secured file server,
> but it could also be an internet-aware HDTV or video recorder where
> I have no control over the internal OS.  Sounds like all traffic will
> now have to have to be routed through an external IPv6 SPI firewall
> appliance.  You no doubt have one of those, but I certainly don't,
> and I suspect one would cost a bit more than my $35 NAT router, plus
> being a bit beyond the administrative abilities of the average home
> user.
>
You really have to look at the IP v6 spec.  First, YOU HAVE to use 
ipsec.  So, this eliminates some of the major problems with IP v4.
Second, blocks of addresses are going to be assigned like IP v4 today.  
You can block all of China if you want (or any other country/ISP/whatever).
Third, it is way more secure than IP v4.  It was designed that way.

NAT, by its nature, does not offer any of the above.  It offers 
obscurity, but that has been overcome.

James McKenzie

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux