It's scary how much of this thread comes from people who can't imagine a use for keeping internal traffic internal. in ipv4, if my laptop tries to use a printer with a public ipv4 address, that raises alarms. in ipv6, if my laptop tries to use a printer with an ipv6 address...
its not about the firewall. there's just a lot of extra attack vectors without a nat.
I agree with the majority of your point, but hopefully your printer hasn't been assigned IPv6 IPs that are global in nature and is instead limited to site-local.
For anyone who is reading this but hasn't use IPv6, IPv6 addresses are a large flat 128-bit contiguous address space, but they are not universally routable. The prefix of any specific address determines what group of other IPs can get to it.
We often think of a computer as having an IP address, but with IPv6, computers will have several addresses, all with different prefixes to handle different types of traffic.
If you plug your printer into your home network, and if the local DHCP server is configured to hand out globally routable addresses from your ISP provided /64, then your printer will also be globally routable (as well as your "smart" fridge, "smart" TV, "smart" thermostat, etc). In my personal experience this is the default situation with consumer ISP IPv6 setups.
This difference in theory versus practice is precisely why we see people objecting that IPv4 is more secure as far as default configurations go when it comes to home use.
That said, I expect (hope?) that all ISP gear should default to enabling a stateful firewall. Hopefully there's no difference between the default security of an IPv4 and an IPv6 setup in practice. But given the history I'm not entirely optimistic.
> in ipv4, if my laptop tries to use a printer with a public ipv4 address, that raises alarms.
The only way that’s possible is that you have a firewall rule blocking outbound connections to common printer ports like 631. NAT couldn’t care less what outbound port you’re connecting to, so it has to be a firewall doing that work.
> in ipv6, if my laptop tries to use a printer with an ipv6 address...
…so enable that same rule you manually configured on IPv4 on the IPv6 firewall, too.
What you’re describing is not default or inherent behavior. If you went out of your way to enable it, you have the skills to do it twice. That’s assuming your firewall is more complicated that “block outbound port <631> to <any IP>”, which covers both protocols on most firewalls I’ve used.
MPSimmons|1 month ago
For anyone who is reading this but hasn't use IPv6, IPv6 addresses are a large flat 128-bit contiguous address space, but they are not universally routable. The prefix of any specific address determines what group of other IPs can get to it.
We often think of a computer as having an IP address, but with IPv6, computers will have several addresses, all with different prefixes to handle different types of traffic.
This site does a decent job of explaining - https://networklessons.com/ipv6/ipv6-address-types
fc417fc802|1 month ago
This difference in theory versus practice is precisely why we see people objecting that IPv4 is more secure as far as default configurations go when it comes to home use.
That said, I expect (hope?) that all ISP gear should default to enabling a stateful firewall. Hopefully there's no difference between the default security of an IPv4 and an IPv6 setup in practice. But given the history I'm not entirely optimistic.
kstrauser|1 month ago
The only way that’s possible is that you have a firewall rule blocking outbound connections to common printer ports like 631. NAT couldn’t care less what outbound port you’re connecting to, so it has to be a firewall doing that work.
> in ipv6, if my laptop tries to use a printer with an ipv6 address...
…so enable that same rule you manually configured on IPv4 on the IPv6 firewall, too.
What you’re describing is not default or inherent behavior. If you went out of your way to enable it, you have the skills to do it twice. That’s assuming your firewall is more complicated that “block outbound port <631> to <any IP>”, which covers both protocols on most firewalls I’ve used.
p_ing|1 month ago
Not if your firewall is dropping packets. It doesn't matter if your internal network has routable public IPs or not.
Apple used to have all (most?) workstations on publicly routable IPs since they jumped on the A class networks early.