On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell rmcconne@lightlink.com wrote:
Adam Tauno Williams wrote:
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used.
No, the downside is that each address used will be exposed to the world.
False. That is *NOT* a downside.
NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved.
I consider that a serious security flaw.
It is not.
Having my ISP know how many computers I have is a minor issue covered by the contract I have with them.
So you want to cheap on the legal contract you agreed to?
No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue.
But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use.
The "Russian mobsters" can already do that; if you think NAT is protecting you from that then you are mistaken.
NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network.
Is 172.16.10.72 a private address of yours or of your ISP?