Hi! Of course, I totally agree that this is security by obscurity, but there's so much s/b/o in this world, such as NAT (IPv4) for example? Nevertheless - if you don't have the MAC and I really doubt that it's leaking somewhere behind the gateway, this is pretty safe. Especially 'cause the kids out there with network scanners don't see any sense in scanning /64 networks. But I also agree with ppl who say, that a closed port is a good port. ;-) My cellphone has fixed public IPs by vpn (v4/v6) and nothing but ssh is open :-) Mit freundlichen Grüßen Lukas Th. Hey Kommunales Rechenzentrum Minden-Ravensberg / Lippe Tel.: 05261 / 252-363 E-Mail: l.hey@krz.de http://www.krz.de Immer up to date sein? update newsletter hier abonnieren! Besuchen Sie den krz- Adventskalender Bitte prüfen, ob diese Mail wirklich ausgedruckt werden muss! -----Ursprüngliche Nachricht----- Von: Jérémie Marguerie [mailto:jeremie@marguerie.org] Gesendet: Montag, 9. Dezember 2013 19:17 An: Hey, Lukas (KRZ) Cc: Jordon Bedwell; Debian Betreff: Re: End-user laptop firewall available? On Mon, Dec 9, 2013 at 1:10 AM, Hey, Lukas (KRZ) <L.Hey@krz.de> wrote: > I have a /64 network at home. Do you want to scan 2^64 IPs > (18,446,744,073,709,551,616) to get the IP currently used by the > laptop which is changed via the IPv6 privacy extension? The only > machine having a fixed public IPv6 address, is the IPv6 Gateway. And > this one has ip6tables :-) This is security by obscurity. And no, you don't have 2^48 different IPv6 even with the Privacy extension enabled. You have at most 2^48 (the MAC address, from which is derived the IPv6, is 48 bits long). From this MAC address you can remove all the non attributed prefixes (widely available). And you can certainly only target the prefixes that have been allocated to domestic network cards. You could well be under 2^32 with that. And we all know here that scanning 2^32 is fairly easy nowadays. -- Jérémie MARGUERIE
Attachment:
smime.p7s
Description: S/MIME cryptographic signature