zlacker

I mean, they'd need to figure out your IP address beforehand, something that's a lot harder with ipv6. You've also got a much better chance of punching a packet through a NAT than an ipv6 firewall (and it's now expected behaviour for a lot of applications, as NAT makes it too difficult to just make connections directly).

>>rcxdud+(OP)
Wouldn't IPv6 firewalls configured for typical users (i.e., denying unrecognized incoming connections) pose a similar barrier to making direct connections reliably on the application level? Not every user will be willing or able to open a hole in their firewall for every shiny new application that wants one.

>>rcxdud+(OP)
They wouldn't need to figure out anything. The "kids and enemy states" are just hosing address ranges. I don't agree with the above commenter that NAT offers any meaningful security in this regard (now they're just hosing your consumer router instead which is probably less secure than the average updates-installed Defender-enabled Windows box). But you're both making points about security through obscurity in different ways.

>>rainon+e6
> now they're just hosing your consumer router

There is a dramatic difference in effort between ( owning a device ) and ( owning a router, configuring network access to the device, then owning the device ).

Also psychologically: If I was a rock hard piece of shit and I knew I was at the doorstep of a personal device, I would treat it much more aggressively than a router. I suppose maybe that's just me and not the kids and enemy states.

>>tflol+Z7
I mean, I don't know why you would when the router potentially gives you a foothold across many devices instead of one and the router is likely running multiple services. Yes, that is just you; the threat model I'm describing is widespread automated attacks, not individual or particularly motivated.

>>rainon+I9
You're saying there's less incentive for widespread automated attacks on personal devices?

edit: Changing the subject to insulting me is a bad way to conclude. You're creating an illusion the debate is concluded in your favor instead of responding to points. I don't think any of my points had a sound argument against them.

>>tflol+aa
No brother, I'm not, but I'm starting to feel that what I am saying might be beyond the likelihood of comprehension. Look, I'm a big fan of NAT. Huge. It's not a security control. Neither is v6. It sure is cool though.

>>rainon+e6
> The "kids and enemy states" are just hosing address ranges.

If you could scan one million addresses every second it would take about 500,000 years to scan just one /64. Not sure how practical that would be.

When I was still with an ISP that did IPv6 my Asus would block any incoming connection attempt unless it was a reply (SPI firewall), though it may have (IIRC) allowed pings in by default.

>>throw0+n31
SPI firewall looks interesting, appreciate the education.

>>throw0+n31
Yeah that is an absolutely bonkers amount of time so you're probably right in that the approach of low-effort wide net-casting attackers would have to change. I'm curious to know how Shodan etc. deal with this.

>>rainon+VC1
Shodan ran an NTP pool time server on IPv6 and harvested the addresses of machines that checked in to get the time. Pretty clever.