Canadian TV, Computing and Home Theatre Forums banner

What are the security implications of IPv6?

1K views 3 replies 2 participants last post by  JamesK 
#1 ·
We are running out of web addresses under IPv4 so soon we will all be moving to IPv6. It supports 2^128 web addresses which should be enough for everyone as 2^128= 340,282,366,920,938,463,463,374,607,431,768,211,456

Apparently one of the advantages of that is that we no longer need NAT on our routers since we don't need private networks since every device can be on the internet.

Part of me says great, no more need to have to do any port forwarding to get access to stuff on my LAN.

Another part of me says "So that means a hacker has easier access to all of my network devices and may be able to screw around with the devices on my home network?"

I probably got a few things wrong above, but what are the security implications of this? Will our ISP give us our own public subnet (is that even the right term) so that we each get something like 256 IP addresses? Will it be set up so that our devices will only be able to see devices on our LAN's subnet? So what will we use to enable external acess that will take the place of port forwarding? A whitelist of external IPs?
 
#2 ·
In this respect, there is nothing NAT can do that a properly configured firewall can't. Start by blocking everything and then allow only what you want. Also, use only encrypted protocols, such as those based on SSH, SSL/TLS or a VPN. I have been running IPv6 for almost 4 years and my firewall is configured to allow only SSH and IMAPS through. I need IMAPS to access my mail server and everything else, including file shares can be done via SSH. ISPs are supposed to hand out a minimum of a /64 subnet. That's 2^64 addresses or the number of IPv4 addresses squared. I have a /56 subnet, which is about a trillion times the entire IPv4 address space. Many say /48s should be handed out, which is 256x what I have. There are enough /48 subnets available to give over 4000 of them to every person on earth! One security advantage is trying to find a computer to attack. With such a huge address space on even the smallest subnets, just trying to find a live host will be a huge challenge. An attacker would pretty much need to capture an address somehow. Even that can't be counted on as many computers will use random number addresses when accessing the Internet. Those random number addresses are only valid for a few hours and then the computer will pick another, with the old one deprecated for several more hours until finally discarded. You will not need port forwarding, as every computer will have a public address. Just make sure your firewall is set up properly.

Rogers is currently handing out /64 subnets, IIRC, via 6to4 or 6rd tunnel.
 
#3 ·
To properly implement IPv6 do you need all of the devices on your LAN to support IPv6? What about all of the stuff that I have like IP cameras or older SageTV extenders. I don't think they support v6 and probably never will.

Or can your router translate between the two?

So can I call Rogers and ask that my Ultimate 250/20 service be switched to IPv6?
 
#4 ·
I run "dual stack" IPv4 & IPv6. Those devices that can work with IPv6 do so and those that can't I access with IPv4. It's all transparent.

To get IPv6 from Rogers, you need a router that supports 6to4 or 6rd tunnelling. They had a page about it at ipv6.rogers.com, but I can't get to it at the moment. Eventually they should be providing native IPv6 with the cable modems. I use a tunnel from gogoNET, but there are other tunnel providers that can be used.
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top