On 07/12/10 18:10, Bowie Bailey wrote: > On 12/7/2010 11:36 AM, Tom H wrote: >> >> I have a route to his dsl router, which, assuming that the ipv4 and >> ipv6 firewalls are as good at allowing/disallowing access, makes his >> current ipv4 and his future ipv6 addresses equally accessible. > > I've been following the NAT debate here and something occurred to me. > > If you have an IPv4 network with NAT, an attacker doesn't need to know > your internal IPs. All he needs is the IP to your router. NAT will > nicely forward his packets along to whichever internal computer handles > the port. With that one address, he can scan your entire network for > any services available to the Internet. To some degree, at least if the attacker breaks into the firewall. But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to. > With an IPv6 network without NAT, an attacker would need to know the > specific IP of the computer he wants to attack. There is no NAT to > forward along his SSH attack to the correct computer. To scan your > network for vulnerabilities, he would have to scan every port on every > IP. Even if he can come up with a list of the IPs that are in use, this > is still much more work than scanning a single (NATed) IP. > Bingo! You have caught the point exactly! An attacker will not know for sure if there is a firewall in between or not. Most probably he will presume so. But he still don't know for sure the IPv6 address of that firewall, or even if there are more cascaded firewalls in front of a public IPv6 address. Traceroute might give some clues, but if it's a strict firewall just dropping packages, this can take a looong loooooong time. kind regards, David Sommerseth