Hacker News new | past | comments | ask | show | jobs | submit login

1.

Banning a /64 prefix is not a bad idea if you are getting hit hard by botnets running on IPv6 that are within that same /64, maybe go up to /48 if required.

Officially a /64 is a single site, you can equate it to a single IPv4 address that is being used as NAT gateway.

2.

You mean the "fake" NTP servers that record the information? Clients should be running firewalls anyway, and endpoint security is as important as before. Also, CPE should be running an firewall that disallows all incoming traffic, and only allows outgoing. NAT-PMP or UPNP can be used to open up ports as necessary. Although the standard does need to get fleshed out a little more.

None of this has changed BTW, in IPv4 this was and is best practice too, NAT/Firewall on the edge does not protect devices, and devices inside should all be running firewalls and the like as necessary.

Clients like OS X/Windows/Linux that are running desktops should be using privacy addresses, this would allow them the ability to move from IP to IP over time thereby alleviating the "one static IP for life".

3.

Except that in a lot of cases ISP's will happily give you a lease for a DHCP that can be renewed over and over. I've had my current IP from Comcast for a little over 2 years now. No recycling going on there...

Recycling IP's is a false sense of security anyway. IPv6 with privacy addresses makes this simpler though. Hop away... now you can have a new IP address every 10 minutes...




1. I'm not talking about botnets, I'm talking about sites that crawl your content to copy your database and mine competitive intelligence on it.

2. Clients should be running firewalls anyway, yeah, yeah. 99% of the security holes online are because of "shoulds". In the wild many, many, many people will assume their IP is unguessable and then it will leak _somehow_. A single hacked device on the other side of the firewall, or a misconfigured firewall, etc.

3. Well that might be true for your home internet, but it's almost certainly not true for your mobile phone unless you live somewhere weird.


1. Same thing, ban the entire /64, or /48. Now it's similar to banning an IPv4 address.

2. Hacked device on the other side of the firewall has been an issue even with NAT. NAT + firewall is not some magic unicorn, if someone gains access to a device behind your NAT + firewall they are still on your local network. No change there.

3. Most users will use Wifi at home, thus have an IP address that can be tracked. My exit IP for my T-Mobile phone is almost always the same too when I am in the same location...




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: