[PLUG] Free Cable Modem

Russell Senior russell at personaltelco.net
Sat Nov 9 10:08:02 UTC 2013 

>>>>> "John" == John Jason Jordan <johnxj at comcast.net> writes:

Paul> You might want to check if your workstation has a global IPv6
Paul> address.  If so, make sure you've got some sort of ingress
Paul> filtering, either at your border router or on each host.

John> My router has a firewall. Otherwise, I don't know why I should
John> be concerned. I've used computers behind the router for over a
John> decade and there has never been a problem. My previous router
John> didn't even have a firewall, and still never a problem.

John> I am aware of the existence of /64 IPv6 address space, but I
John> know zero about it. Does this increase security concerns?

Even though your DOCSIS 3 modem might support IPv6 now, your router (if
it isn't very new) probably doesn't, so you *probably* don't have
anything to worry about.  But, IPv6 generally means no Network Address
Translation (the poor-man's firewall that has protected most people's
LANs for the last decade plus or so from connections from the outside,
as a side effect).  No NAT means your host's IPv6 address (if it has a
global one) is globally routable and anybody on the IPv6 interwebs can
reach your hosts IPv6 address.  Your router might now have an IPv6
address, but as long as it doesn't advertise it on the LAN, then your
internal hosts won't have a globally routable IPv6 address and they
are "safe".

Newer routers are probably going to start coming with IPv6 out of the
box though, so something to be aware of.

Run:

  $ ip a

and see if there are any inet6 addresses that don't start with 'f'
(fe80 is a local prefix, 2000:... or 2001:... or suchlike are global).

On the other hand, an attacker trying to scan your /64 is likely going
to wait a very very long time (2^64 is a LARGE NUMBER (not quite
avagadro's but in the general ballpark) and it will take MANY DAYS to
check all of the possible addresses).  

If he can find out your address though (e.g. by seeing some of your
IPv6 traffic), he can try to connect directly to your computer.  Your
computer is free to ignore him, but it might not always when, in the
fullness of time, you think it should have.  Hence the need for
greater firewally vigilance in the IPv6 context, or at least more
consciousness about host security.


-- 
Russell Senior, President
russell at personaltelco.net

More information about the PLUG mailing list