Comment by ghshephard

12 hours ago

NAT66 doesn't add much in the way of security here, because the external address is fully routable and maps 1:1 to the internal address. You are once again fully dependent on a correctly configured firewall.

The IPv6 address that I shared was, in fact, a static (and real) IPv6 address, belonging to a real device - with the possible exception of the last 3 bytes, was likely one I worked on frequently.

Put another way - to do an apples to apples comparison:

  Hard to attack:   FDC2:1045:3216:0001:0013:50FF:FE12:3456
  Easier to attack: 2001:1868:209:FFFD:0013:50FF:FE12:3456

3 comments

ghshephard

winstonwinston 12 minutes ago

> NAT66 doesn't add much in the way of security here, because the external address is fully routable and maps 1:1 to the internal address. You are once again fully dependent on a correctly configured firewall.

When using the stateful firewall provided by Linux's packet filter, the IPv6 NAT "masquerade" works very similar to IPv4 NAT. 1:1 mapping is NOT required.

For example internal hosts are configured as follows:

inet6 fd00::200/64 scope global noprefixroute

ip -6 route add default via fd00::1

Spivak 9 hours ago

Hardest to attack:

fcab:cdef:1234:5678:9abc:def0:1234:5678

The whole point is that your devices on the inside of your network can't be routed to at all.

ghshephard 8 hours ago

Okay - I'll bite - Why is FC/7 harder to attack than FD/8?