Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> I don't understand why

I will resist the urge to be snarky at your expense and politely point out that exposing your LAN to public routing tables is madness, from all perspectives.

It brings no benefits and carries huge risks.



Is IPv6 Unique Local Addressing still a thing (or again)? Just because a machine has an IPv6 address does not mean it is automatically routable over the entire Internet.


>exposing your LAN to public routing tables is madness

And I don't understand why people think that.

You are exposing a /64 network. That's 2^64 addresses, no one can scan your LAN if that's what you fear, nor can anyone reach your hosts if you build a stateful firewall that denies incoming connections - you know, just like NAT. But minus the packet modifications.


> no one can scan your LAN

Are we really back to security by obscurity? Please don't tell me you are serious.

Anyways, you can't rely on ISP's handing out sufficiently large network ranges to make your security-by-obscurity scheme work.


Are we not _already_ attempting security by obscurity at the very moment we talk about "exposing your LAN" as a supposed weakness of IPv6?

/64 is the smallest network your ISP can hand out, of course you can rely on that. Even my mobile phone is getting a /64 from my ISP.


Using global addresses is not, of course, "exposing your LAN to public routing tables", or any charitable interpretation thereof. Reachability != addressing.


Global addressing is a bug and a ticking time bomb in this case, not a feature.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: