Re: Security over IPv6 networks
On Wednesday, March 12, 2003, at 11:12 AM, BEGIN, Thomas wrote:
But in the other hand, isn't it dangerous to address machines with
global unicast address and thus make them reachable directly from
anywhere and by anybody...
The 'thus' is not warranted. Assigning unique addresses does not mean
they are globally reachable. As a simple counter example, consider what
happens if you unplug your router's upstream connection(s). As a more
realistic one, stateful packet filters (like Linux iptables) can allow
only outgoing connections. Non-stateful ones can even block SYN packets
in one direction, or block certain ports, IPs, etc. You can do this
with IPv4 today, or with IPv6.
"Globally unique IP address" does not imply "globally reachable" or
"not firewalled."
Further, IPv6 gives you some security that IPv4 didn't (besides
mandatory IPSec): A sparse address space. With IPv4, many worms have
taken to attacking random addresses. It's very effective, because it
only takes several probes to find a machine. It's how the SQL worm
works, it's how Nimbda and Code Red (in part) work, etc. On IPv6, that
isn't possible: It's quite reasonable to expect a hit rate of less than
1/(2^64) w/ IPv6 --- so scanning random IPs is no longer feasible.
Reply to: