[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Tue Dec 7 17:43:07 UTC 2010
David Sommerseth <dazo at users.sourceforge.net>

On 07/12/10 18:10, Bowie Bailey wrote:
> On 12/7/2010 11:36 AM, Tom H wrote:
>>
>> I have a route to his dsl router, which, assuming that the ipv4 and
>> ipv6 firewalls are as good at allowing/disallowing access, makes his
>> current ipv4 and his future ipv6 addresses equally accessible.
> 
> I've been following the NAT debate here and something occurred to me.
> 
> If you have an IPv4 network with NAT, an attacker doesn't need to know
> your internal IPs.  All he needs is the IP to your router.  NAT will
> nicely forward his packets along to whichever internal computer handles
> the port.  With that one address, he can scan your entire network for
> any services available to the Internet.

To some degree, at least if the attacker breaks into the firewall.

But to use this approach without breaking into the firewall you would
need to forge network packets pretty well to be able to trick a firewall
to pass on packets from the outside to the inside, especially on
stateful packet inspection, where the firewall would know if the
connection is initiated from the inside or outside, and to which inside
client the connection belongs to.

> With an IPv6 network without NAT, an attacker would need to know the
> specific IP of the computer he wants to attack.  There is no NAT to
> forward along his SSH attack to the correct computer.  To scan your
> network for vulnerabilities, he would have to scan every port on every
> IP.  Even if he can come up with a list of the IPs that are in use, this
> is still much more work than scanning a single (NATed) IP.
> 

Bingo!  You have caught the point exactly!

An attacker will not know for sure if there is a firewall in between or
not.  Most probably he will presume so.  But he still don't know for
sure the IPv6 address of that firewall, or even if there are more
cascaded firewalls in front of a public IPv6 address.  Traceroute  might
give some clues, but if it's a strict firewall just dropping packages,
this can take a looong loooooong time.


kind regards,

David Sommerseth