[Info-vax] implementing IPv6 on the internet

[Dirk Munk]

Chris wrote:
> On 09/21/16 08:49, Jan-Erik Soderholm wrote:
>
>>
>> I mentioned IPv4 as a reference. The need Dirk is talkning about
>> is for IPv6. IPv6 will replace IPv4 NAT'ing with individual/unique
>> world-wide IP addresses for "everything". And they need DNS.
>>
>>>
>>> That being said, what you seem to be asking...
>>
>> I am not Dirk Munk...
>>
>>
>>> is for those "private" addresses to become essentially public...
>>
>> That is how *I* understand Dirk, yes. Dosn't have to be correct... :-)
>>
>
> If true, that's a great security risk in it's own right.
> I'm quite happy to the isp to use whatever standard they like to
> talk to the wan side, but none of that reaches the internal network
> unless it's needed and defined in the rules. I don't trust the
> ISP's router either and have hardware firewalling following that
> for isolation.
>
> NAT is a fundamental and cost effective part of network security
> and I don't see it going away any time soon...
>
> Regards,
>
> Chris

That is the traditional mistake people make about IPv6. The fact that a 
device has a global IPv6 address and a DNS name doesn't mean that it is 
reachable, or reachable without any constraints.

A IPv6 capable CE router will have all IPv6 access from the internet 
blocked by default. If you want a devcie to be accessible from the 
internet, you have to make an entry in the router for the address of 
that device, and the ports you want to be open. Essentially no different 
from IPv4.

And by the way, NAT was never designed to be a safety feature, blocking 
access from the internet is merely a consequence of the way it works.