On 12/7/2010 11:36 AM, Tom H wrote:
I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible.
I've been following the NAT debate here and something occurred to me.
If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet.
With an IPv6 network without NAT, an attacker would need to know the specific IP of the computer he wants to attack. There is no NAT to forward along his SSH attack to the correct computer. To scan your network for vulnerabilities, he would have to scan every port on every IP. Even if he can come up with a list of the IPs that are in use, this is still much more work than scanning a single (NATed) IP.