On 13 May 2017, at 13:54, Tony Langdon vk3jed@vkradio.com wrote:
Actually, a lot of routers block all inbound traffic by default, so the situation shouldn't change too much. Scanning my IP will be too inefficient with IPv6 as well, because the address space is vast, and the majority of IPs in a given network are unused. Will be interesting to see how malware adapts.
Let me show you a practical example :)
Imagine that you are sitting behind a misconfigured IPv6 router which doesn't block incoming connection. A hotel hotspot for example. I guess it's going to be commonplace.
Now, you are visiting a website. Thanks to RFC4941 your computer has a temporary IPv6 address used for the purpose of originating outgoing connections. That address, moreover, doesn't have any identifying information.
So, you visit the website. The website uses an advertising system that of course wants to track you. You are using "private" settings in your browser so that it doesn't store cookies or website data. However, you happen to have your trusty ssh daemon listening. Which is not unusual. Who hasn't forgotten to disable it now and then?
Now, the advertiser tries to connect to your ssh daemon. Finding it with a scan wouldn's be feasible, of course, there are too many addresses to try. But you have revealed it by visiting the website and, hence, downloading an ad from the dodgy ad server. The dodgy ad server knows your IPv6 address and connects back. Your ssh server offers a public host key, which is indeed an identifiable data. They will know that you are the same user who visited yesterday from the airport in another city.
I like to compare IPv4 to land war (you are protected behind a strong defense) and IPv6 to maritime war. Finding you beyond the horizon can be really difficult unless you reveal yourself by turning on the radar (ie, visiting that website, joining a file sharing p2p network, sending an email through a provider that displays all the IP addresses in the mail headers, whatever).
There is a simple solution to this. Programs listening on INADDR_ANY shouldn't receive incoming connections by default, so daemons such as ssh or whatever you have there running shouldn't receive it unless specified by the programmer (it can be important in certain cases).
But for now your temporary addresses are treated like, well, IPv6 address by all the OSs I have tried. So your ssh is listening on all of them ;)
Borja.