On 03/20/2016 11:36 AM, Xen wrote:
By the way, if UPnP was ever a problem in terms of NAT security, obviously the problem is much worse in IPv6, since there is not even any NAT and all devices are always exposed."Addressable" is NOT the same thing as "exposed". Any sane IPv6 router for the home (every one I have have seen so far) blocks all incoming connections by default - just like NAT effectively does. There is no operational difference for the clueless home owner. With a consumer firewall, selected ports can be "forwarded" through IP4 NAT to a selected internal IP. Similarly, selected ports can be unblocked for selected internal objects with an IP6 firewall. The only semi-valid criticism is that with IP4 NAT, the effective 48 bit (IP+ random 16 bit port) public address is periodically recycled to point to different internal objects. With IP6 sans NAT, the 128-bit (Subnet + random 64 bit host ip) public address, while random and periodically changing like IP4 NAT, is not recycled. A given IP only ever points to a single internal object. This could potentially reveal more information to someone logging IP+port on the outside. But it is not yet clear what exactly it would gain them. |