Default security functions on an IPv6 CPE
Mark Smith
msmith at internode.com.au
Fri May 13 09:21:36 CEST 2011
On 13/05/2011 4:34 PM, S.P.Zeidler wrote:
> Thus wrote Mark Smith (msmith at internode.com.au):
>
>>> Either way you setup the CPE the ISP will get called.
>>>
>>> But, the users who got an open IPv6 firewall and as a result got
>>> their machine rooted, when their calls come in they will take a lot
>>> more time and be much more costly.
>>>
>>
>> Have you or Doug read
>>
>> RFC5157 - IPv6 Implications for Network Scanning
> [...]
>> Still think address scanning is going to be a useful technique under IPv6?
>
> As has been mentioned in this thread, you do not need to scan addresses
> when you can harvest active addresses from connects to a hacked webserver
> or even from blog comments (and a million other places).
>
So tell me how a host based firewall isn't going to prevent that attack,
which therefore makes a CPE firewall absolutely necessary (which is the
argument in question)?
> Hiding in the forest only works when you don't move (ie, never use your
> address outside your LAN).
>
> regards,
> spz
More information about the ipv6-ops
mailing list