undefined | Better HN

orangeboats2y ago· 2 in thread

>exposing your LAN to public routing tables is madness

And I don't understand why people think that.

You are exposing a /64 network. That's 2^64 addresses, no one can scan your LAN if that's what you fear, nor can anyone reach your hosts if you build a stateful firewall that denies incoming connections - you know, just like NAT. But minus the packet modifications.

otabdeveloper4OP2y ago

> no one can scan your LAN

Are we really back to security by obscurity? Please don't tell me you are serious.

Anyways, you can't rely on ISP's handing out sufficiently large network ranges to make your security-by-obscurity scheme work.

orangeboats2y ago

Are we not _already_ attempting security by obscurity at the very moment we talk about "exposing your LAN" as a supposed weakness of IPv6?

/64 is the smallest network your ISP can hand out, of course you can rely on that. Even my mobile phone is getting a /64 from my ISP.

fulafel2y ago· 1 in thread

Using global addresses is not, of course, "exposing your LAN to public routing tables", or any charitable interpretation thereof. Reachability != addressing.

otabdeveloper4OP2y ago

Global addressing is a bug and a ticking time bomb in this case, not a feature.

tremon2y ago

Is IPv6 Unique Local Addressing still a thing (or again)? Just because a machine has an IPv6 address does not mean it is automatically routable over the entire Internet.

0 comments

0 comments