[avidiax]

> And you still need to lure the victim to your site first.

You don't need to lure anything. Hack some websites. Plenty have publicly accessible analytics or logs. That gives you full IPv6 addresses to target. Ideally, it might give you a username as well.

What if someone gets the logs of an IOT cloud provider with IPv6 enabled IOT devices?

How many of those addresses have SSH, Samba, APFS, Telnet, or a DNS server running? How many have a username + password combo that's in a leak? How many have an IOT Restful API endpoint with unpatched vulnerabilities?

IPv4 NAT allows people to have quite weak security internally in a network, and not get compromised. Device firewalls don't work where the devices themselves provide services, which is increasingly common.

[bcook]

> You don't need to lure anything.

Right. For example, in 2016, Shodan had sneakily infiltrated the NTP.org pool to harvest IPv6 IPs. The methods have obviously gotten more sophisticated and more prevalent since then.

https://netpatterns.blogspot.com/2016/01/the-rising-sophisti...

https://seclists.org/oss-sec/2016/q1/239

[justsomehnguy]

> IPv4 NAT allows people to have quite weak security internally in a network, and not get compromised

    DENY from ANY to ANY

on the WAN port works with both IPv4 and IPv6 and allows people to have a strong security internally in the network.

Here, one simple solution, works on both IP versions, does not rely on NAT or hoping everything would be fine.

> How many of those addresses have SSH, Samba, APFS, Telnet, or a DNS server running?

Ah, yes, some idiots have the telnet and APFS running and open to the whole world that's why NAT to the rescue! Instead of, you know, having a brain and, at least, firewalling. At The Router.

You all NAT apologists somehow do have the router with NAT and firewall for IPv4, but at the same time there is only luminiferous æther for IPv6 with nothing between the poor, young and defenseless IoT device and the 3vi1 h4x0r somewhere on the other side of the planet. Come on.

> What if someone gets the logs of an IOT cloud provider with IPv6 enabled IOT devices?

What if someone gets in your house and find your nudes? Should we ban cameras everywhere, because someone might do that?

[Dagger2]

Thanks to privacy extensions most of those logged addresses will have expired and be useless. Also most people don't permit connections from the Internet to privacy addresses in the first place, they only add firewall exceptions for the base addresses, so even if you're running a server on the same machine you make an outbound connection from, the servers you connect to don't learn the IP needed to make an inbound connection on.

> IPv4 NAT allows people to have quite weak security internally in a network, and not get compromised.

No, it doesn't. This is allowed by having a firewall on the router, exactly the same as in v6. NAT doesn't block connections, so it doesn't contribute to this security.

Device firewalls do work, but connections will generally be rejected by the router's firewall before they even get that far.