= Сообщение: 10663 из 12490 ===================================== ENET.SYSOP = От : Michiel van der Vlist 2:280/5555 08 May 21 12:45:39 Кому : Matthias Hertzog 08 May 21 12:45:39 Тема : IPv6 FGHI : area://ENET.SYSOP?msgid=2:280/5555+60967139 На : area://ENET.SYSOP?msgid=2:301/1+60965dc0 = Кодировка сообщения определена как: CP850 ================================== Ответ: area://ENET.SYSOP?msgid=2:301/1+60967990 ============================================================================== Hello Matthias,
On Saturday May 08 2021 11:44, you wrote to me:
MH>>> Handling a port is not that hard.
MV>> It isn't hard, but once you let go of the "IPv4 NAT think", many MV>> things become a lot easier with IPv6.
MH> Easier but unsecure as hell.
A misunderstanding common among those who have not let go of "IPv4 think".
The misundertstanding is based on the idea that NA(P)T is a security feature. It is not. The original idea was that every device connected to the Internet has it own unique globally routable IP address. This broke down some 25 years ago when the number of devices outnumbered the available (IPv4) addresses. NA(P)T is a trick to have more than one device - or more accurate more than one interface - share a public IP address.
NAT has a side effect. It blocks all unsollicited incoming packets by default. For the simple reason that it does not know what to do with them. NAT was not designed for that purpose, but it does have this "security feature" as a side effect.
Yes, if you let all IPv6 packets pass unfiltered than IPv6 is unsecure. Just like IPv4 was in the days before NAT. The solution is the same as it was with IPv4 before NAT: use a firewall.
These days every decent consumer router has a build in IPv6 firewall that blocks all unsollicited incoming IPv6 packets by default.
Also OSs have firewalls to filter incoming packets. The Windows firewall also blocks unsollicited incoming IPv6 packets by default.
To run a server one must explicitly tell the firewall to pass the packets concerned.
