Re: End-user laptop firewall available?

To: "Hey, Lukas (KRZ)" <L.Hey@krz.de>
Cc: Jordon Bedwell <jordon@envygeeks.com>, Debian <debian-security@lists.debian.org>
Subject: Re: End-user laptop firewall available?
From: Jérémie Marguerie <jeremie@marguerie.org>
Date: Mon, 9 Dec 2013 10:16:44 -0800
Message-id: <[🔎] CAKS89GpstTE=ucM-5_3VoaAOfVu9_yjoDuDDuFDajWzuTeV62Q@mail.gmail.com>
In-reply-to: <[🔎] 5D5665AC686FE842984DE21CF13760010BF8D8CF@skrzmxmbx02>
References: <[🔎] 52A35302.8080305@cloud85.net> <[🔎] 20131208103442.GA6765@mail.waldi.eu.org> <[🔎] 52A467D4.4000109@wardsback.org> <[🔎] 20131208124411.GC415@dingens.org> <[🔎] 52A4A5EB.8050003@vallit.fi> <CAM5XQnwYcvpPvx0idGkxogVin+P-d=GL-bLPv7POVMdPbD+g3g@mail.gmail.com> <[🔎] 52A4B2DB.9010104@vallit.fi> <[🔎] CAKS89Gq_b4ydveGC2GEqHh2fZz_ynNXmx0CUXqL=_FMnW8nd3A@mail.gmail.com> <[🔎] 5D5665AC686FE842984DE21CF13760010BF8D85B@skrzmxmbx02> <CAM5XQnxkE-QAPH=p7aB4a5pn6tvFW6Q6ugCaXCTu7nbnBOQ2bQ@mail.gmail.com> <[🔎] 5D5665AC686FE842984DE21CF13760010BF8D8CF@skrzmxmbx02>

On Mon, Dec 9, 2013 at 1:10 AM, Hey, Lukas (KRZ) <L.Hey@krz.de> wrote:
> I have a /64 network at home. Do you want to scan 2^64 IPs (18,446,744,073,709,551,616) to get the IP currently used by the laptop which is changed via the IPv6 privacy extension? The only machine having a fixed public IPv6 address, is the IPv6 Gateway. And this one has ip6tables :-)

This is security by obscurity.

And no, you don't have 2^48 different IPv6 even with the Privacy
extension enabled.
You have at most 2^48 (the MAC address, from which is derived the
IPv6, is 48 bits long).

>From this MAC address you can remove all the non attributed prefixes
(widely available). And you can certainly only target the prefixes
that have been allocated to domestic network cards.

You could well be under 2^32 with that. And we all know here that
scanning 2^32 is fairly easy nowadays.

-- 
Jérémie MARGUERIE

Reply to:

Follow-Ups:
- AW: End-user laptop firewall available?
  - From: "Hey, Lukas (KRZ)" <L.Hey@krz.de>

References:
- End-user laptop firewall available?
  - From: Richard Owlett <rowlett@cloud85.net>
- Re: End-user laptop firewall available?
  - From: Bastian Blank <waldi@debian.org>
- Re: End-user laptop firewall available?
  - From: Frédéric CORNU <fcornu@wardsback.org>
- Re: End-user laptop firewall available?
  - From: Volker Birk <vb@dingens.org>
- Re: End-user laptop firewall available?
  - From: Riku Valli <riku.valli@vallit.fi>
- Re: End-user laptop firewall available?
  - From: Riku Valli <riku.valli@vallit.fi>
- Re: End-user laptop firewall available?
  - From: Jérémie Marguerie <jeremie@marguerie.org>
- AW: End-user laptop firewall available?
  - From: "Hey, Lukas (KRZ)" <L.Hey@krz.de>
- AW: End-user laptop firewall available?
  - From: "Hey, Lukas (KRZ)" <L.Hey@krz.de>

Prev by Date: Re: End-user laptop firewall available?
Next by Date: Re: End-user laptop firewall available?
Previous by thread: AW: End-user laptop firewall available?
Next by thread: AW: End-user laptop firewall available?
Index(es):
- Date
- Thread