0

Apparently, for half a year already at least, my ISP has assigned me IPv6 addresses. I discovered this accidentally, while editing Wikipedia. So it seems my ISP started to support IPv6 addresses and decided it was a good time to give them out to users. (Unlike my college collegues, who are crazed with IPv6 shiny newness, I wasn't asking for this.)

Now pardon my incompetence.... But, AFAIK, unlike IPv4 addresses, IPv6 addresses do not use NAT and instead, are all directly routable from the Internet. Is this correct?

If the computer is directly routable to the internet (a very bad idea in this day and age), common vulnerable ports will be scanned by bots and immediately exploited.

(source: this comment)

So it would seem that, contrary to IPv4 addresses, IPv6 addresses are inherently insecure; or rather, they are only as secure as the router's hardware. Is this correct?

gaazkam
  • 5,607
  • 11
  • 24
  • 37

2 Answers2

3

Even though IPv6 addresses as such are globally routable, it does not necessarily mean that a system with one is exposed. In many cases (sadly not all), your consumer-grade router will employ stateful firewalling, meaning that new inbound connections will be denied by default. You can test this by performing a port scan of your device from an external IPv6-supporting host. If ports are open externally, you may need to add a firewall somewhere.

Second, there are way too many IPv6 addresses to perform mass scanning and exploitation as is possible with IPv4, so it is unlikely a host will be picked off at random. That said, if attackers can enumerate addresses through other means (e.g. you visit their website from an address), it could still be singled out and targeted.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
1

The quoted comment is somewhat imprecise in its use of the expression "directly routable to the internet." What it should have said is "directly reachable from the internet."

With IPv4, many routers have relied on NAT preventing that direct reachability, thereby providing a certain measure of protection against attacks from the Internet even without a firewall. This protection has never been perfect, though. With IPv6, NAT is gone, so that rudimentary protection does no longer exist and router manufacturers have to (and do) build firewalling into their devices.

If your router lacked firewalling and passed all traffic arriving from the Internet unfiltered to the devices behind it then yes, getting an IPv6 address from your ISP would expose your devices to direct attacks from the Internet.

Tilman Schmidt
  • 871
  • 4
  • 7