[wjholden]

I'm not so concerned.

For one thing, a /64 issued to a house is a pretty daunting search space for the scanning worms of yesterday.

Another, computers today do come with firewalls that are enabled by default and tricky to disable.

Third, the industry really had to start taking memory safety and attack surface seriously after the Blaster/Sasser/MyDoom days. We see another article here on HN every week about another company categorically solving memory problems by adopting Rust.

Finally, having remote desktop shouldn't be a problem if people don't know your password, no? It's not like there is a firewall stopping baddies from guessing your Gmail password.

I realize that a NAT/PAT device does incidentally serve as a stateful firewall for many homes, but I think it is less important with modern OS's than one might think.

Now for the hospitals still using Windows XP...yeah you're right about that. I'd like to see regulators start fining companies for using obsolete hardware and software.

[somerandomqaguy]

>For one thing, a /64 issued to a house is a pretty daunting search space for the scanning worms of yesterday.

Eh...

-----

We have outlined a number of techniques that scanning worms can use in an IPv6 Internet to locate potential targets. These techniques are equally applicable to the current IPv4 Internet, albeit not as efficient as random scanning. Although “conventional” address-space scanning is prohibitively expensive in that environment, we believe that the diversity of sources we discussed (which is by no means exhaustive) guarantees a rich target set for worms.

---

https://www.cs.columbia.edu/~smb/papers/v6worms.pdf

A lot of them do rely on getting that first host infected though, but that's not exactly dissimilar to IPv4 networks as well.

>Finally, having remote desktop shouldn't be a problem if people don't know your password, no? It's not like there is a firewall stopping baddies from guessing your Gmail password.

That actually begs an interesting point. IPv4 allows for services to block use IP profiling to limit an attacker's attempts to brute-force / semi-brute-force a password or other attacks like a DDoS. What would be IT / Security processionals response when an attacker can just jump to another IPv6 address and resume the attack?

[wmf]

I think the best practice is to rate limit by /24 in IPv4 and by /48 in IPv6. That way all the attacker's IPs are treated as a single user. These have corner cases like if the attack is coming from inside the house but they're decent defaults.

[CorrectHorseBat]

>For one thing, a /64 issued to a house is a pretty daunting search space for the scanning worms of yesterday.

/64? You should be getting at least a /56

[throw0101c]

> For one thing, a /64 issued to a house is a pretty daunting search space for the scanning worms of yesterday.

Some math to illustrate this:

* IPv4 has 2^32 addresses

* 2^32 ≈ 4 billion

* in mathematics, a^x = a^(y+z) = a^y * a^z

* so: 2^64 = 2^32 * 2^32

* therefore: 2^64 = four billion IPv4 Internets

One IPv6 subnet can fit many, many entire IPv4 Internets.