(no title)
ghshephard | 1 month ago
The IPv6 address that I shared was, in fact, a static (and real) IPv6 address, belonging to a real device - with the possible exception of the last 3 bytes, was likely one I worked on frequently.
Put another way - to do an apples to apples comparison:
Hard to attack: FDC2:1045:3216:0001:0013:50FF:FE12:3456
Easier to attack: 2001:1868:209:FFFD:0013:50FF:FE12:3456
winstonwinston|1 month ago
When using the stateful firewall provided by Linux's packet filter, the IPv6 NAT66 "masquerade" works very similar to IPv4 NAT. 1:1 mapping is NOT required.
For example internal hosts are configured as follows:
inet6 fd00::200/64 scope global noprefixroute
ip -6 route add default via fd00::1
Edit: From my understanding the NAT66 is ambiguous and it may work as a stateful port-based translation similar to IPv4 NAT, whereas NPTv6 is a stateless prefix-only translation.
Spivak|1 month ago
fcab:cdef:1234:5678:9abc:def0:1234:5678
The whole point is that your devices on the inside of your network can't be routed to at all.
zamadatix|1 month ago
You don't need to change the prefix to prevent an address from being routed to from the internet, but you do need a firewall if you want an address to be securely reachable from the internet. If you don't want an address to be reachable, what the address is whatsoever doesn't matter so long as you've implemented any possible way of making it unreachable.
ghshephard|1 month ago