Hacker News new | ask | show | jobs
by NeutronBoy 4085 days ago
If your firewall (which you'll still need) is configured correctly, then the wider internet either won't know an address isn't routable, or won't be able to do anything even if it is (there are various schools of thought on blocking ICMP messages from the internet, which range from "you break the internet if you block ICMP" to "I'll blackhole ICMP so nobody knows my devices exist")
1 comments
hackuser 4085 days ago
> the wider internet either won't know ...

Once a private device communicates with a public Internet server, won't that server and every network between it and the private device (my ISP, etc.) know a publicly routable IP address on my private network? I know a firewall could still help protect it (simple SPI, for example) but having a publicly routable IP would seem to simplify the attacker's job, and possibly reveal information about specific devices and users (i.e., track who is doing what).

Also, I assume my firewall's public IP must be on the same public subnet as my internal devices. It doesn't seem like it would be hard to guess the addresses of devices on the private side.

I haven't looked at IPv6 much, so again I suspect I'm overlooking something basic.

> If your firewall (which you'll still need) is configured correctly

In my experience, this situation isn't common -- especially among end users but even among professionals.

link
tjgq 4085 days ago
In the absence of a firewall, you are correct that any node that gets hold of the publicly routable address assigned to one of your devices will be able to communicate with it from the outside. This is indeed a problem for most users, who won't know or bother to configure one; ISPs should do it for them on the CPE.

Regarding the tracking of specific users: RFC 3041 stateless autoconfiguration (which is deployed at least on Linux and OSX - not sure about Windows) allows a device to switch to a new random IPv6 address within its assigned prefix every few minutes. This mitigates, though it does not eliminate, an attacker's ability to correlate connections originating from the same device over a period of time.

Naturally, all of those addresses will share a common IPv6 prefix. But that is no different from most residential NATs, where all connections are observed from the outside to originate from the same IPv4 address.

Also due to stateless autoconfiguration, guessing the address of a device from the outside is equivalent to finding a needle in a 2^64-straw haystack. It's not impossible, but it takes time and a lot of traffic to do so.

link
hackuser 4085 days ago
Thank you!
link