[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Tue Dec 7 17:26:30 UTC 2010
David Sommerseth <dazo at users.sourceforge.net>

On 07/12/10 16:45, Adam Tauno Williams wrote:
> On Tue, 2010-12-07 at 10:32 -0500, Tom H wrote: 
>> On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell <rmcconne at lightlink.com> wrote:
>>> Adam Tauno Williams wrote:
>>>> On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote:
>>>>>> IPv6 is not broken by design. NAT was implemented to extend the time
>>>>>> until IPv4 exhaustion. A side effect was hiding the internal IPv4
>>>>>> address, which complicates a number of protocols like FTP and SIP. The
>>>>>> only downside I see is ISPs could try and charge based on the number
>>>>>> of IPv6 addresses being used.
>>>>> No, the downside is that each address used will be exposed to the world.
>>>> False.  That is *NOT* a downside.
>>>> NAT is *NOT* a magic sauce - install a firewall [which you probably
>>>> already have].  Problem solved.
>>>>> I consider that a serious security flaw.
>>>> It is not.
>>>>> Having my ISP know how many
>>>>> computers I have is a minor issue covered by the contract I have with
>>>>> them.
>>>> So you want to cheap on the legal contract you agreed to?
>>> No, if they want too much money before I can install additional
>>> computers, I have several other choices, some of which will likely be
>>> less expensive. Currently, their TOS is not an issue
>>>>> But having all of those addresses exposed to Russian mobsters,
>>>>> terrorists, crackers and everyone else that knows how to capture packets
>>>>> is another matter altogether. If IPv6 exposes that information to the
>>>>> world, it is definitely unsafe to use.
>>>> The "Russian mobsters" can already do that; if you think NAT is
>>>> protecting you from that then you are mistaken.
>>> NAT hides the IP addresses of the computers inside my firewall. The only
>>> address exposed is the temporary address assigned to the firewall
>>> itself. That box can be run on the most secure OS I can find (currently
>>> one of the BSD's), and allows me to operate other systems behind it that
>>> aren't as well protected. This makes it significantly more difficult for
>>> those mobsters to penetrate my network.
>> Is 172.16.10.72 a private address of yours or of your ISP?
> 
> +1
> 
> NAT isn't doing what Bob McConnell thinks it is.  Any "russian mobster"
> can afford to hire a halfway decent hacker who will only laugh at the
> obfuscation added by NAT.  Determining how many computers, and quite a
> bit of detail about them, are behind a NAT is not hard.  You just watch
> the traffic and these things reveal themselves.  Your traffic can be
> compromised just as easily with or without NAT.  Very few actually
> useful attacks on a host require direct access to the interface;
> stateful firewalls made such vectors pretty useless a long time ago.

You mean something along the way ... "Oh, this Bob uses 172.16.10.72 ...
let's run some traceroutes towards his gateway.  That could be
64.57.176.18, right?   Then we can just setup a direct route from us to
his 172.16.10.0/24 network.  Wait! Lets add 172.16.0.0/12, just to be
sure we hit the right path"


kind regards,

David Sommerseth