[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Bowie Bailey Bowie_Bailey at BUC.com
Tue Dec 7 17:52:36 UTC 2010


On 12/7/2010 12:43 PM, David Sommerseth wrote:
> On 07/12/10 18:10, Bowie Bailey wrote:
>> On 12/7/2010 11:36 AM, Tom H wrote:
>>> I have a route to his dsl router, which, assuming that the ipv4 and
>>> ipv6 firewalls are as good at allowing/disallowing access, makes his
>>> current ipv4 and his future ipv6 addresses equally accessible.
>> I've been following the NAT debate here and something occurred to me.
>>
>> If you have an IPv4 network with NAT, an attacker doesn't need to know
>> your internal IPs.  All he needs is the IP to your router.  NAT will
>> nicely forward his packets along to whichever internal computer handles
>> the port.  With that one address, he can scan your entire network for
>> any services available to the Internet.
> To some degree, at least if the attacker breaks into the firewall.
>
> But to use this approach without breaking into the firewall you would
> need to forge network packets pretty well to be able to trick a firewall
> to pass on packets from the outside to the inside, especially on
> stateful packet inspection, where the firewall would know if the
> connection is initiated from the inside or outside, and to which inside
> client the connection belongs to.

I wasn't referring to breaking into the firewall or forging packets.  I
was just referring to using the normal operation of the NAT to forward
(for example) an SSH attack to the computer on the network that accepts
SSH connections.

Stateful packet inspection works the same way regardless of whether or
not you have NAT or IPv6, so it is mostly irrelevant to this discussion.

-- 
Bowie



More information about the CentOS mailing list