[afripv6-discuss] What are the benefits of IPv6 over IPv4

Heinrich Strauss heinrich at hstrauss.co.za
Sun Jun 3 21:05:10 SAST 2012

Hi, Kondwani.

On 2012/06/03 19:44, Kondwani C. Hara wrote:
> While direct communication seems a good idea, direct communication 
> exposes devices to direct attack. Where NAT existed, it was easier to 
> limit the attacks by opening up to the public only services that are 
> accessible to the public.
> Linux or most Unix machines operating as servers, are hardened against 
> remote attacks. Workstations are hardened against local access. 
> Putting these on ipv6 will leave many workstations very vulnerable.
> The attacks on smartphones especially Android, seem to have been worse 
> and difficult to manage due the little attention on security they 
> might have received owing to the fact that its still work in progress.
> Exposing these to the chainability of ipv6 is really a Security disaster.
> That's a big bug ipv6 has.
Remember that NATv4 is only perceived security; there have been 
advancements since its initial inception that tear holes through this 
perceived security veil quite invisibly to users (e.g. UPnP), which is 
an even bigger security risk, IMO. A big eye-opener was a Defcon18 talk 
"How I Met Your Girlfriend" [1] by Samy Kamkar.

For your servers, nothing prevents a sweeping policy like:
     For the servers' /64, drop anything that's not HTTP, HTTPS, SMTP to 
mailservers, etc

on the border of your network (with a firewall or access-list) and then 
routing that to servers or more firewalls.

If clients (who are supposed to get IPv6 allocations) are not known to 
be responsible (read: easily bot-infected), notify them of your policy 
(law-permitting) and filter outbound SMTP from their networks until they 
request it be re-enabled and accept responsibility for the potential 
network abuse.

NAT was not intended to be a firewall-replacement; that's just a 
side-effect! ;)


[1] http://www.youtube.com/watch?v=fEmO7wQKCMw

More information about the afripv6-discuss mailing list