On Tue, 2010-12-07 at 10:49 -0500, Bob McConnell wrote: > > There _is_ more information leakage with ipv6, in the sense that you are > > using a real ip from an internal machine on the connection. But the > > point is that the security benefit of that is largely illusory, security > > by obscurity. > No, it is not FUD, It is FUD. > it is a real concern by people with much to lose. > Those of you evangelizing this new, and still unproven technology can't > seem to recognize this simple fact. Calling IPv6 "unproved" is absurd. It is widely deployed and used extensively. Security is/was taken very seriously in the design. > I consider that information leakage to be very significant. You have a huge address pool - periodically change your address if you feel that is significant. That certainly adds more obfuscation than IPv4 NAT ever did. > It advertises the presence of another computer with explicit information on > where to reach it. You already do that with every e-mail message and HTTP request. Do you obscure the User-Agent string in all your traffic? (Your not using Thunderbird 2.0.0.24 in X-Windows?) Because that information is just as [if not more] valuable to a potential attacker than your firewalled address. > It increases my risk of being penetrated by someone I probably > don't want rummaging around in my files. But I don't see any additional > protection being offered to replace what is being taken away. You are on a network - you can always disconnect the drive. If you really feel *NAT* is really that critical to hiding your data this seems a very reasonable option. Because NAT is providing only an extremely trivial additive to security you feel you need.