The size of the ipv6 space is still quite large and it will still take awhile to scan.

Just because you don't want to learn how to secure yourself from IPv6 doesn't mean everyone else should suffer.

You do know that Verizon Wireless uses IPv6? IPv4 is dying. It really doesn't matter how much space Verzion has, there will be a time where they do not have enought. Think about how many devices you have connected, then multiply that by the number of people in your neighborhood, city, and state. The  number of IOT devices will make IPv6 a necessity.

That is more necessary if you want those devices to have direct Internet access (using a publicly routed address).
Those sitting behind a router using NAT don't affect Verizon's IPV4 address pool.

Doesn't matter how large it is.  A hacker database populated and used by several hackers of responding IPs is all it takes and REALLY easy to do.

The REAL solution is extending the IPv5 STD with a 5th octet and use it as a country identifier excluding 001 for current internet.  Adding Nat, Pat, and subnetting is the only thing that would save IPv6 but they will never do it because it would prove how useless all those IPs really are.

I used to work for a App hosting company that ran over 50 servers over ONE IP!  The one IP ran one web server over 80/443 and all it did was redirect each server address to the same IP but on a different Pat port range and dedicated each server a 100 port number range.  The FW and VERY long dynamic URLs provides just as much security as IPv6.

Also no one needs more than 1 home IP regardless of how may devices they have as NAT gives one way or even two way with an agent to a internet server internet access.

Also VZ will fight IPv6 forever as they do not want ppl running servers which could be done with unlimited IPv6 IPs.

I'd LOVE to see how well (NOT!) an Xbox used by someone non tech holds up to every hacker online!

  winDOZE barely holds up behind NAT!   😄

---

@rhcev6 wrote:

---

My Cisco 3825 never gets rebooted or powered off and when a hacker has over 100 infected bot PCs scanning ipv6 space isn't hard.  You start with isp assigned spaces.

Also upnp should NEVER be on in the first place.  I have never ran upnp  ever.  All ipv6 will do is massively complicate my is ACL and be very annoying.

Regardless of if ipv6 comes or not my lan is staying IPv4 and I'll put a few servers on ipv6 side as a dmz.

I don't do winDOZE anyway.  Haven't since 05  on desktops and 04 with NT4 being the last server version I touched.  Linux is all I run since 2004/2005

---

Right. I realize a massive botnet is going to help someone discover hosts faster. And paying attention to BGP propagation makes the game a lot easier. Again though, to truly discover a host on a single /64 subnet, you're going to have to make either 18446744073709551616 attempts at an ICMP probe or if you want to stick to a port scan, 1208907372870555465154560 attempts. Like I said, needle in a haystack for a single IPv6 network (assuming it hasn't been subnetted down further). A wise hacker would discover hosts not by port scanning, but by pounding away at the root DNS Servers to query their contents of AAAA records. Additonally, to find actual end user devices, they would be better abusing the mess known as online advertising networks to plant web beacons or otherwise drive-by malware everywhere. Only then will they reliably and accurately pinpoint a machine as well as just punching in an IPv4 address. There is also Shodon, of course. Which makes the job easier for anyone looking to adventure into nefarious behavior with a little bit of money for a premium subscription.

With that said, ACL lists on IPv6 should not be any more difficult than in IPv4. If anything they are easier. Every security concious individual I know of treats even RFC1918 IPv4 space as non-trust. And often they manage multiple Class A networks in addition to wide swaths of globally routable address space. And they maintain extensive ACL lists (high maintenance) in more than one place and have a tool to help generate their ACL to support what they want end to end on the full assumption that they cannot trust even their own network (vertical movement is a serious deal in datacenters). IPv6 has less necessity for extensive end to end tooling (considering you're dealing with more than just basic source and destination when involving NAT/PAT/load balancing hosts/bastions). Your IPv6 network would also be designed in a similar fashion to an IPv4 network - you're still mitigating BGP and ARP / NDP poisoning for example.

With that said, as a community, let's work together on getting IPv6 support. IPv6 would not be an IETF published protocol if it didn't serve a true purpose. Many of us here are network administrators, and have to embrace the new protocol whether we like it or not. It's the only way to further our understanding of the protocol. A network I help to maintain would be noticed on a global scale if it goes offline (Why did "half" of the Internet just break?), and it has to support IPv6 yesterday. We'll need it at some point in the future. Verizon I'm sure would love to reduce the amount of port forwarding calls they get, calls about why third party routers don't work, and sell more McAfee Security suite (ugh) to their end users. They didn't hesitate rolling out IPv6 to their 3G (eHRPD over EV-DO) and LTE networks after all. That must mean something.

NAT is not real security, it was meant to be a hack to overcome the deficiencies of IPv4, and causes enough problems already.

The designers of Internet didn't ment for devices to be only servers or only consumers.

A lot of bandwidth is wasted because of the static servers. For example, wouldn't you rather be able to download an update, and devices that you already trust be able to cache that update (Or updated app for your phones, for example) be able to serve it?

Regardless, either on IPv4 or IPv6, having a publicly routeable address does not mean that there is not going to be a firewall. Consumer WiFi routers on sale today support IPv6 and provide some level firewall functionality. Incoming ports can be blocked at the router regardless of NAT.

---

@emiliosic wrote:

NAT is not real security, it was meant to be a hack to overcome the deficiencies of IPv4, and causes enough problems already.

> I've never had an issue and LOVE NAT and PAT.  Its SUPER easy and works great.

The designers of Internet didn't ment for devices to be only servers or only consumers.

> Yet that's what everything is designed to be, a server or client, and it just works.

A lot of bandwidth is wasted because of the static servers. For example, wouldn't you rather be able to download an update, and devices that you already trust be able to cache that update (Or updated app for your phones, for example) be able to serve it?

> ABSOLUTELY NOT.  I verify each update and that's not the way CDNs work and they aren't going anywhere.

Regardless, either on IPv4 or IPv6, having a publicly routeable address does not mean that there is not going to be a firewall. Consumer WiFi routers on sale today support IPv6 and provide some level firewall functionality. Incoming ports can be blocked at the router regardless of NAT.

> My ACL is already around 250-275 lines long and many are class A and B like China, Russia, etc but I also block and class C I get any attacks from that fail2ban picks up.  Those "firewalls" aren't anything like checkpoint firewalls.

Just give my IPv5 which is a mirror copy of .IPv4 with one more octet on the left and I'm all set.

---