[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Tue Dec 7 17:10:20 UTC 2010
Bowie Bailey <Bowie_Bailey at BUC.com>

On 12/7/2010 11:36 AM, Tom H wrote:
> I have a route to his dsl router, which, assuming that the ipv4 and
> ipv6 firewalls are as good at allowing/disallowing access, makes his
> current ipv4 and his future ipv6 addresses equally accessible.

I've been following the NAT debate here and something occurred to me.

If you have an IPv4 network with NAT, an attacker doesn't need to know
your internal IPs.  All he needs is the IP to your router.  NAT will
nicely forward his packets along to whichever internal computer handles
the port.  With that one address, he can scan your entire network for
any services available to the Internet.

With an IPv6 network without NAT, an attacker would need to know the
specific IP of the computer he wants to attack.  There is no NAT to
forward along his SSH attack to the correct computer.  To scan your
network for vulnerabilities, he would have to scan every port on every
IP.  Even if he can come up with a list of the IPs that are in use, this
is still much more work than scanning a single (NATed) IP.