Might have learned something today, I always replace the stock router from ISPs.
Easy to test, can someone on a cable box try to reach an open port on their host on IPV6 vs IPV4. My belief is that a majority of setups (maybe not HN hackers) will able to hit a host's open port on v6 and fail on v4.
Yet you continue to speculate about it and spread baseless FUD.
Consumer ISPs supporting IPv6 provide routers blocking inbound access by default. The interface to open IPv6 ports is usually labelled "IPv6 Pinholes" or similar, and you'll find hundreds of web pages on ISP websites describing the functionality -- just as they have pages on IPv4 port forwarding.
The extraordinary claim that ISPs are supplying routers with such a dangerous default configuration requires evidence.
It goes beyond that. With IPV4 you have the further protection of private subnets not even routing across the public internet - it’s broke by default, no configuration necessary.
Your attack surface is primarily your firewall which admittedly might be an easy target - but not as easy as an unprotected Windows box.
Private address ranges are a human convention and there have been instances in the past of upstream routers passing them on.[1] Relying on other people to do your filtering for you is a bad idea. I'm going to put the rules in my own router, whether those addresses are (potentially) globally routable or are designated as private.
The use of small private pools has even helped attackers who would inject browser scripts probing the well-known prefixes.[2]
Exactly! Duplicating my point in a thread below to drive your point home:
NAT was an added layer on top of firewall rules because inbound ports had to be mapped to a particular host and port since the router would not know which host to send to. This created a default opt out experience because for a port on your machine to get accessed, a packet must pass inbound rules and match a port map table entry.
NAT was created for one reason only: because there weren't enough IPv4 addresses to go around.
Port mapping and connection tracking firewalls were invented in 1989,[1][2] while network translation was created in 1994. [3][4] The private address space was only reserved in 1996.[5] The Firewalls book was published in 1994 (which meant that it was being written in the 1992-3 timeframe).[6]
> it’s broke by default, no configuration necessary.
Which is why all sorts of software needs to deal with bullshit like STUN, TURN, etc, to get peer-to-peer connections working. There has to be all sorts of address discovery.
And even that won't work once you get into CG-NAT with tends to have two layers of NAT.
How much of the centralization of the Internet has occurred because people can't just talk to each other (by simply firewall hole punching via UPnP/PCP)?