On Tue, 2010-12-07 at 10:49 -0500, Bob McConnell wrote:
There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity.
No, it is not FUD,
It is FUD.
it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact.
Calling IPv6 "unproved" is absurd. It is widely deployed and used extensively. Security is/was taken very seriously in the design.
I consider that information leakage to be very significant.
You have a huge address pool - periodically change your address if you feel that is significant. That certainly adds more obfuscation than IPv4 NAT ever did.
It advertises the presence of another computer with explicit information on where to reach it.
You already do that with every e-mail message and HTTP request. Do you obscure the User-Agent string in all your traffic? (Your not using Thunderbird 2.0.0.24 in X-Windows?) Because that information is just as [if not more] valuable to a potential attacker than your firewalled address.
It increases my risk of being penetrated by someone I probably don't want rummaging around in my files. But I don't see any additional protection being offered to replace what is being taken away.
You are on a network - you can always disconnect the drive. If you really feel *NAT* is really that critical to hiding your data this seems a very reasonable option. Because NAT is providing only an extremely trivial additive to security you feel you need.