>>>>> "John" == John Jason Jordan <[email protected]> writes:
Paul> You might want to check if your workstation has a global IPv6 Paul> address. If so, make sure you've got some sort of ingress Paul> filtering, either at your border router or on each host. John> My router has a firewall. Otherwise, I don't know why I should John> be concerned. I've used computers behind the router for over a John> decade and there has never been a problem. My previous router John> didn't even have a firewall, and still never a problem. John> I am aware of the existence of /64 IPv6 address space, but I John> know zero about it. Does this increase security concerns? Even though your DOCSIS 3 modem might support IPv6 now, your router (if it isn't very new) probably doesn't, so you *probably* don't have anything to worry about. But, IPv6 generally means no Network Address Translation (the poor-man's firewall that has protected most people's LANs for the last decade plus or so from connections from the outside, as a side effect). No NAT means your host's IPv6 address (if it has a global one) is globally routable and anybody on the IPv6 interwebs can reach your hosts IPv6 address. Your router might now have an IPv6 address, but as long as it doesn't advertise it on the LAN, then your internal hosts won't have a globally routable IPv6 address and they are "safe". Newer routers are probably going to start coming with IPv6 out of the box though, so something to be aware of. Run: $ ip a and see if there are any inet6 addresses that don't start with 'f' (fe80 is a local prefix, 2000:... or 2001:... or suchlike are global). On the other hand, an attacker trying to scan your /64 is likely going to wait a very very long time (2^64 is a LARGE NUMBER (not quite avagadro's but in the general ballpark) and it will take MANY DAYS to check all of the possible addresses). If he can find out your address though (e.g. by seeing some of your IPv6 traffic), he can try to connect directly to your computer. Your computer is free to ignore him, but it might not always when, in the fullness of time, you think it should have. Hence the need for greater firewally vigilance in the IPv6 context, or at least more consciousness about host security. -- Russell Senior, President [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
