<div dir="ltr">I agree on the difficulties with brute forcing methods, but I personally don't consider it a silver bullet. There are ways to identify legitimate IP addresses without brute forcing - log files, traffic interception etc.</div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On 25 July 2014 13:34, Joseph Goldman <span dir="ltr"><<a href="mailto:joe@apcs.com.au" target="_blank">joe@apcs.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I think the concern here though is the real 'dumb' home user. NAT
provides a level of security for inbound attacks to a Personal
Computer unless specified in port fowarding, so the users have
become accustomed to that level of security (even if they dont know
about it).<br>
<br>
It was a question that came up in my mind earlier this week too, and
not all modem/routers are featured with firewalls to do this - and
with pretty much any ISP having to allow BYOD, you can't control if
peoples routers will ever have this feature. For business/managed
connections I tend to personally go MikroTIK routers so they do have
the full featured firewall, and I would definitely be setting up
rules for IPv6 once we start our end-user roll-out, but I can't
control residential customer xyz's JB Hi-Fi bought D-Link, and I
don't really want the helpdesk flooded with calls about attacks and
virus' either.<br>
<br>
The only comfort that I got was that IPv6 is so vast that
brute-forcing seems illogical and unlikely to net many results. I
will be interested to see others opinions on the matter :)<div><div class="h5"><br>
<br>
<div>On 25/07/14 13:20, Damien Gardner Jnr
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">What I do (and we do at work) is run stateful
firewalling on the home/office router, and don't allow inbound
traffic on v6 unless it's for an established session. Same as
we did all those years ago when our homes/offices had a public
/24 (We all had that at home right? ;) ). It's certainly not a
new problem :)
<div>
<br>
</div>
<div>Cheers,</div>
<div><br>
DG</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 25 July 2014 13:11, Greg Anderson <span dir="ltr"><<a href="mailto:ganderson@raywhite.com" target="_blank">ganderson@raywhite.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Good day Ladies and Gentlemen!
<div><br>
</div>
<div>I had a quick question because try as I might,
anybody I have asked this question to so far (and
Google) have been unable to answer the question for me.</div>
<div><br>
</div>
<div>With the deployment of a dual stack IPv6 solution
either in a corporate or residential environment, I
expect most users would have a single NIC in most cases.</div>
<div><br>
</div>
<div>For Windows firewall, IPv4 addresses in common cases
are not globally routed addresses that often have less
restrictive firewall rules and services running on them
(EG SNMP, File/Printer sharing, RDP, Homegroup etc). In
these cases, some would often use "Domain" or "Private"
firewall profiles on these NIC's.</div>
<div><br>
</div>
<div>With the deployments of IPv6, they will also have
local link IPv6 addresses (fine as they are not globally
routed either obviously), and at some point many will
have a globally routed IPv6 address. So this means, for
a given NIC, you will now have:</div>
<div><br>
</div>
<div>- IPv4 Reserved address for Private local networking</div>
<div>
<div>- IPv6 Reserved address for Private local
networking</div>
<div>- IPv6 Globally routed address (and possibly a
second temporary address)</div>
<div><br>
</div>
<div>Suddenly when the deployment of Globally routed
IPv6 addresses happen: because the NIC has a private
profile there is suddenly private services exposed to
the Internet. (Let's put our tin foil hat on and
ignore the difficulties of brute force scanning an
IPv6 subnet).</div>
<div><br>
</div>
<div>Option 1 is obvious - change your NIC's network
type to public, and if you don't want everything to
break reconfigure all your rules to permit traffic
only from local link addresses (IE - a real pain in
the _)</div>
<div><br>
</div>
<div>Is there an option 2? Ideally, I would like the
public ranges to be automatically detected (or
specifically reconfigurable) as a globally routed IP
address range and therefore to be able to apply
multiple profiles (Public and Private/Domain) to a
single NIC.</div>
<div><br>
</div>
<div>I am considering this from a residential dumb end
user perspective as well as enterprise - so whilst I
would like a technical solution (and I am aware those
of us smart enough can still firewall at the edge just
like we do today) - many residential users will not
have these skills - they are likely to really open
themselves up. So I am interested to see if I am
missing something very obvious...</div>
<div><br>
</div>
<div>Thoughts?</div>
<span><font color="#888888">
<div><br>
</div>
<div>- Greg</div>
</font></span></div>
</div>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">
<p>Damien Gardner Jnr<br>
VK2TDG. Dip EE. GradIEAust<br>
<a href="mailto:rendrag@rendrag.net" target="_blank">rendrag@rendrag.net</a> - <span><a href="http://www.rendrag.net/" target="_blank">http://www.rendrag.net/</a><u><br>
</u></span>--<br>
We rode on the winds of the rising storm,<br>
We ran to the sounds of thunder.<br>
We danced among the lightning bolts,<br>
and tore the world asunder</p>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
AusNOG mailing list
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><img src="https://lh5.googleusercontent.com/-aWq61wdav6s/UM_3TdCcU9I/AAAAAAAAAEE/JxSBQrF1JzI/w600-h148-p-k/ganderson_footer_small.png"><br>
</div>