Hacker News new | ask | show | jobs
by tombrossman 3496 days ago
> There is a great use-case for IPV6 for IOT where each device gets its own IPV6 address.

Do you really want your IOT devices to be directly addressable on the internet? It's my understanding that having devices behind a router is safer. I go a step further and disable UPnP on my routers and everything still 'just works' including network printing.
2 comments
takeda 3496 days ago
NAT is not a security feature, it wasn't meant and it doesn't by itself add anything, except complicates communication.

You supposed to control access with firewall, and controlling security is much easier when computer/device has a routable address.

Though, IoT devices should probably be restricted of any Internet access based on their security track record (but again, this is orthogonal to being directly addressable).

link
dx034 3495 days ago
While NAT does not provide perfect security, it is a component of security in networks where most people have no idea how to harden their systems or devices. It somehow gives me comfort to know that no one can just scan the net to find my phone, as I'm not sure if it would be vulnerable.

I still don't see a reason for the average consumer to have a static, reachable IP for their devices. I see privacy concerns but no advantages.

link
growse 3496 days ago
Why does 'directly addressable' mean 'not behind a router'? Unless you've got a weird ISP that's delivering you Ethernet, you're going to need a router.
link
tombrossman 3496 days ago
That's a good point and I don't know the answer.

I have a gigabit fiber (to the home) connection which terminates at a device with 4 Ethernet jacks. They all work, I've tested connecting directly to them with a laptop, but I plug a router into it and all devices connect through that router instead. It's the 'stateful firewall' aspect of using a router that I want for improved security. https://en.wikipedia.org/wiki/Stateful_firewall

link
belovedeagle 3495 days ago
My ISP delivers me Ethernet... I doubt it's that uncommon in midrise/highrise buildings. But they will only route to a single IP address (incl for 64-bit) so then again I still need a router.
link