The scenerio I commonly see is a dual-stack (IPv4 & IPv6) router blocking all unsolicited incoming IPv4 packets (because of NAT), while all IPv6 LAN hosts will unintentionally be globally accessible through the internet.
This is why I worry about more IPv6 deployment. Too many people are ignorantly relying on IPv4 NAT as a layer of protection.
> Too many people are ignorantly relying on IPv4 NAT as a layer of protection.
Too many people think pulling out works every time, too many people think what not using the seat belts because they aren't going far or fast is safe, yada, yada.
What the attack scenario? For the most part the machine is firewalled anyway by built-in firewall (if we talking about any modern Windows and Linux) by default. Most attacks need the actual vulnerable software and this is the browser nowadays => it's client initiated anyway.
Sure, a properly configured router would block the incoming traffic (with or without NAT, there are routed IPv4 too, you know? I have five /24 there and a bunch of smaller ones, no NAT on them), but again, the onus here on the default configuration of the router. There are still 'DMZ' buttons in some routers what would DNAT everything to the machine, there are people who do that without understanding what this opens up their machine (despite being behind the NAT) ie 'make it globally routable'..
I didn't touch home/soho routers for almost a decade so I can't say anything about that, except what Zyxels have the sane defaults and what Mikrotik is shipped with IPv6 disabled altogether.
Don't forget, most of the 'hacks' are happening by scanning the IPv4 subnet and then meticulously probing everything. It's easy with IPv4 (hell, /16 is only 65k hosts), with IPv6 this is...
Here: 2a10:1fc0:6::/48
I have a machine there, go, find it.
The only feasible way for someone to find your globally addressable machine is for the 'victim' is to first trigger something, eg by accessing some website. Yes, in this case the owner of the site (or the malware which infected the site) would know your IP. But same applies to IPv4 and in both cases you need something which is:
vulnerable
accepting packets from anywhere
not firewalled
And you still need to lure the victim to your site first.
You would have more chances with sending Nigerian prince letters and you would be way more profitable.
> And you still need to lure the victim to your site first.
You don't need to lure anything. Hack some websites. Plenty have publicly accessible analytics or logs. That gives you full IPv6 addresses to target. Ideally, it might give you a username as well.
What if someone gets the logs of an IOT cloud provider with IPv6 enabled IOT devices?
How many of those addresses have SSH, Samba, APFS, Telnet, or a DNS server running? How many have a username + password combo that's in a leak? How many have an IOT Restful API endpoint with unpatched vulnerabilities?
IPv4 NAT allows people to have quite weak security internally in a network, and not get compromised. Device firewalls don't work where the devices themselves provide services, which is increasingly common.
Right. For example, in 2016, Shodan had sneakily infiltrated the NTP.org pool to harvest IPv6 IPs. The methods have obviously gotten more sophisticated and more prevalent since then.
> IPv4 NAT allows people to have quite weak security internally in a network, and not get compromised
DENY from ANY to ANY
on the WAN port works with both IPv4 and IPv6 and allows people to have a strong security internally in the network.
Here, one simple solution, works on both IP versions, does not rely on NAT or hoping everything would be fine.
> How many of those addresses have SSH, Samba, APFS, Telnet, or a DNS server running?
Ah, yes, some idiots have the telnet and APFS running and open to the whole world that's why NAT to the rescue! Instead of, you know, having a brain and, at least, firewalling. At The Router.
You all NAT apologists somehow do have the router with NAT and firewall for IPv4, but at the same time there is only luminiferous æther for IPv6 with nothing between the poor, young and defenseless IoT device and the 3vi1 h4x0r somewhere on the other side of the planet. Come on.
> What if someone gets the logs of an IOT cloud provider with IPv6 enabled IOT devices?
What if someone gets in your house and find your nudes? Should we ban cameras everywhere, because someone might do that?
Thanks to privacy extensions most of those logged addresses will have expired and be useless. Also most people don't permit connections from the Internet to privacy addresses in the first place, they only add firewall exceptions for the base addresses, so even if you're running a server on the same machine you make an outbound connection from, the servers you connect to don't learn the IP needed to make an inbound connection on.
> IPv4 NAT allows people to have quite weak security internally in a network, and not get compromised.
No, it doesn't. This is allowed by having a firewall on the router, exactly the same as in v6. NAT doesn't block connections, so it doesn't contribute to this security.
Device firewalls do work, but connections will generally be rejected by the router's firewall before they even get that far.
This is why I worry about more IPv6 deployment. Too many people are ignorantly relying on IPv4 NAT as a layer of protection.