[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Tue Dec 7 18:15:53 UTC 2010
David Sommerseth <dazo at users.sourceforge.net>

On 07/12/10 18:52, Bowie Bailey wrote:
> On 12/7/2010 12:43 PM, David Sommerseth wrote:
>> On 07/12/10 18:10, Bowie Bailey wrote:
>>> On 12/7/2010 11:36 AM, Tom H wrote:
>>>> I have a route to his dsl router, which, assuming that the ipv4 and
>>>> ipv6 firewalls are as good at allowing/disallowing access, makes his
>>>> current ipv4 and his future ipv6 addresses equally accessible.
>>> I've been following the NAT debate here and something occurred to me.
>>>
>>> If you have an IPv4 network with NAT, an attacker doesn't need to know
>>> your internal IPs.  All he needs is the IP to your router.  NAT will
>>> nicely forward his packets along to whichever internal computer handles
>>> the port.  With that one address, he can scan your entire network for
>>> any services available to the Internet.
>> To some degree, at least if the attacker breaks into the firewall.
>>
>> But to use this approach without breaking into the firewall you would
>> need to forge network packets pretty well to be able to trick a firewall
>> to pass on packets from the outside to the inside, especially on
>> stateful packet inspection, where the firewall would know if the
>> connection is initiated from the inside or outside, and to which inside
>> client the connection belongs to.
> 
> I wasn't referring to breaking into the firewall or forging packets.  I
> was just referring to using the normal operation of the NAT to forward
> (for example) an SSH attack to the computer on the network that accepts
> SSH connections.

Ahh, well, yeah. With NAT, you will expose your single public IP address
no matter what, providing a good surface for starting an attack
immediately, no matter who is doing what on the inside.  Your public IP
address will be available in all kind of logs and mail headers - and
with more users on the inside using the Internet, the more likely it is
that someone will find your address interesting.

But that won't be much more different with IPv6, except that you spread
the attack surface over multiple IP addresses in a huge address scope.
But then by using the IPv6 Privacy Extensions, it will be more like
shooting on a moving target.  The public IP address being used today
might not be the same which was used yesterday, or even some hours ago.

However, if someone uses a public IPv6 address for SSH from the outside
world, that IPv6 address will need to be static and "known".  And a
static IPv6 address is still just as vulnerable for an attack as any
public IPv4 address.   But finding this IP address will be much more
difficult due to the different huge address scope, unless there's a DNS
pointer to it from www.my-own-cool-site.com.

> Stateful packet inspection works the same way regardless of whether or
> not you have NAT or IPv6, so it is mostly irrelevant to this discussion.

Absolutely true.


kind regards,

David Sommerseth