zlacker

This looks like the usual ipv6 kool aid batshit. I don't want a bunch of kids and enemy states poking at and port scanning my laptop directly, regardless of whether or not I have a firewall enabled.

And, no, I don't think it's practical for everyone and their grandma to "just set up a bastion"

>>tflol+(OP)
I mean, they'd need to figure out your IP address beforehand, something that's a lot harder with ipv6. You've also got a much better chance of punching a packet through a NAT than an ipv6 firewall (and it's now expected behaviour for a lot of applications, as NAT makes it too difficult to just make connections directly).

>>rcxdud+o3
Wouldn't IPv6 firewalls configured for typical users (i.e., denying unrecognized incoming connections) pose a similar barrier to making direct connections reliably on the application level? Not every user will be willing or able to open a hole in their firewall for every shiny new application that wants one.

>>rcxdud+o3
They wouldn't need to figure out anything. The "kids and enemy states" are just hosing address ranges. I don't agree with the above commenter that NAT offers any meaningful security in this regard (now they're just hosing your consumer router instead which is probably less secure than the average updates-installed Defender-enabled Windows box). But you're both making points about security through obscurity in different ways.

>>rainon+C9
> now they're just hosing your consumer router

There is a dramatic difference in effort between ( owning a device ) and ( owning a router, configuring network access to the device, then owning the device ).

Also psychologically: If I was a rock hard piece of shit and I knew I was at the doorstep of a personal device, I would treat it much more aggressively than a router. I suppose maybe that's just me and not the kids and enemy states.

>>tflol+nb
I mean, I don't know why you would when the router potentially gives you a foothold across many devices instead of one and the router is likely running multiple services. Yes, that is just you; the threat model I'm describing is widespread automated attacks, not individual or particularly motivated.

>>rainon+6d
You're saying there's less incentive for widespread automated attacks on personal devices?

edit: Changing the subject to insulting me is a bad way to conclude. You're creating an illusion the debate is concluded in your favor instead of responding to points. I don't think any of my points had a sound argument against them.

>>tflol+yd
No brother, I'm not, but I'm starting to feel that what I am saying might be beyond the likelihood of comprehension. Look, I'm a big fan of NAT. Huge. It's not a security control. Neither is v6. It sure is cool though.

>>tflol+(OP)
Yeah, I think it is very explicitly a bad thing for all devices to be directly exposed to the entire internet- firewall or no. NAT is a pain, sure, but it does have the benefit of forcing you to have a network isolated from the internet, and only allow external access when explicitly configured to do so.

I have exactly one machine which needs to be accessible from outside the local network. The rest of them should never be. Do I want to spend extra time ensuring that each and every single device on my network is secure, or do I want to do the inverse and assume all devices are secure and only spend effort to make the one machine exposed?

I can't imagine anyone who would actually want or need their WiFi toaster to be publicly routable, WiFi cameras, every computer. There's absolutely no reason for it. Instead of relying on network isolation, we expect users to just implicitly rely on who knows how many different firewall implementations. Hopefully your router configures it by default.

>>rainon+C9
> The "kids and enemy states" are just hosing address ranges.

If you could scan one million addresses every second it would take about 500,000 years to scan just one /64. Not sure how practical that would be.

When I was still with an ISP that did IPv6 my Asus would block any incoming connection attempt unless it was a reply (SPI firewall), though it may have (IIRC) allowed pings in by default.

>>tflol+(OP)
This is also spec for IPv4, it was intended to be as publically routable as IPv6 is. NAT is just a consequence of everyone realizing circa early 90s (iirc) IPv4 addresses would run out at the rate the network was growing. Yes NAT acts as an inbound default-deny firewall but that isn't it's purpose.

You have a router, it has a firewall, that is meant to be used to control access to the network, you don't have to assign rules to every device you can assign default interface rules that apply to any connection.

Just because you get a publically routable address doesn't mean the internet defines physics and hops over your router and firewall.

Also as an aside - perimeter security is a very outdated way of looking at security, yes the perimeter is still important but if it is your first and only line of defense you are gonna be in for a bad time, defense in depth as it is called where you look at your systems and networks as layers to an onion is the more modern standard and NAT as a security mechanism has never been standard in either because it isn't.

>>utensi+JY
Are you sure about that 'never'? that no device will ever try to use p2p fonnections?

Even then id still rather ensure every device is appropriately firewalled. 'not worrying about it's sounds like a hardened shell with a juicy center. What happens when a device does get compromised and tries to spread to your local network?

>>throw0+L61
SPI firewall looks interesting, appreciate the education.

>>throw0+L61
Yeah that is an absolutely bonkers amount of time so you're probably right in that the approach of low-effort wide net-casting attackers would have to change. I'm curious to know how Shodan etc. deal with this.

>>rainon+jG1
Shodan ran an NTP pool time server on IPv6 and harvested the addresses of machines that checked in to get the time. Pretty clever.