Reply to post: Re: Reason for disabling IVP6

The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box

Anonymous Coward
Anonymous Coward

Re: Reason for disabling IVP6

'tis you who misses the point.

I don't want every machine on my lan having it's own world-visible address. It serves no benefit to me, means I have to spend a lot more time faffing around with firewalls etc (rather than having just one decent gateway), can never be fully sure a machine is fully secured, have no protection against friends/family coming in other than to deny them access to the network.

With NAT I need to be sure my borders are secure, but I need not worry about anything inside my borders. The holes through my borders are ones I make knowingly. Ones made by bugs are much harder to exploit with NAT than with a leaky firewall, of which I might find winth v6 that I have a dozen to fix in a small amount of time (and of course since the firewall is the machine's only protection, I can't as easily isolate it until I have something better installed as I can with NAT).

I still run OK firewalls on each machine as I do have guests on my network, but I don't need to work nearly as hard at protecting my machines from them as I do at protecting my machines from outsiders. And with IPV6 I have to do that work on every machine.

NAT makes my life a lot easier, and that's the point of keeping it around. I don't have a use for machines being able to bypass my gateway, and I don't want them to. At some stage I expect to go IPV6 at the gateway, but I will remain on NAT/v4 inside.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon