Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If your devices are behind a router, they are almost certainly not default-reachable.


I should have provided more detail. I am thinking about basic home users - who often rely on their default modem/router setup from their provider - let's say inbound 443 is open, at the very least (statically or can be opened dynamically) so that an attacker can scan my network and find my IPv6 devices. What would I recommend that person do instead (that is doable by the average person)?


For static inbound 443 should be dropped by the basic home user's default carrier modem setup, only outbound initiated should be allowed. I'm sure there are some bad home implementations that don't do this by default, as there are on IPv4, but as you say for most users it comes down to if the provider's default config is bad or not. For more advanced users they can check and correct the default config if it is bad.

For dynamic it's not really any different than dynamically opening ports on IPv4, it's convenient for things like peer to peer communications and inconvenient for security but a lot more the former than the latter so most actually want it. For the static case then you get what you ask for, if it's static then you specifically put effort into making it reachable so if you don't want it to statically be reachable to everything then just don't statically make it reachable to everything.


Scanning a /64 or even a /56 (which you ought to get from your provider) is infeasible.

Nevertheless, you have the exact same problem already today with ipv4. Just with a NAT inbetween, which is usually replaced with a firewall for ipv6. Also, when a specific device opens up a port via upnp it better does this on purpose.


> who often rely on their default modem/router setup from their provider - let's say inbound 443 is open,

That's not a great assumption to start with.

1. Routers normally come with no inbound possible.

2. Some ISP will require you to opt into accepting 443 at all.

3. It will be open on the router for one specific device - there's no realistic scenario where your home router is configured to allow 443 to any internal address. (Unless you do that explicitly)


Scanning a /64, /56, or /48 isn't really feasible though. A /64 which IIRC is the smallest IPV6 block handed out to home users is 18,446,744,073,709,551,616 address.


Another way of looking at it:

* math property: x^y = x^(a+b) = (x^a)x(x^b)

* IPv4 addresses are 32 bits (2^32)

* 2^32 ~ 4.3 billion

* So the IPv4 Internet has ~4.3B devices on it

* IPv6 subnets are 64 bits, /64 (2^64)

So, a IPv6 2^64 subnet is the same as (2^32)x(2^32), which means (4.3B)x(IPv4 Internet). I.e., a single IPv6 subnet can hold the equivalent of four billion (IPv4) Internets.

--

A second way of thinking about it:

* Stars in the Milky Way: 400 Billion

* Galaxies in the universe: 2 Trillion

So (4x10^11)x(2x10^12)=8x10^23 stars in the universe.

* Size of IPv6 address space: 3.4x10^38

Find the ratio between addresses and stars:

* 3.4x10^38 / 8x10^23

IPv6 offers about 430 trillion times more addresses than estimated stars in the universe.

From Tom Coffee's presentation "An Enterprise IPv6 Address Planning Case-Study"

* https://www.youtube.com/watch?v=7Tnh4upTOC4

--

A third way:

On the surface of the Earth (land+water), there are 8.4 IPv4 addresses per km^2. Not counting the oceans, that would be 28 IPv4 addresses per km^2 land.

IPv6 gives 10^17 addresses per mm^2 (yes, square millimeter).

In terms of volume, 10^8 IPv6 addresses per mm^3 throughout the Earth.

Via: https://news.ycombinator.com/item?id=28326806#unv_28331245


Can you explain why? I'm under the impression they would most certainly would be default reachable. I have limited experience with home routers so maybe someone else can chime in with more insight, but I'm under the impression most relay on NAT and not an actual firewall to limit what can be reached.


Home routers are stateful devices. In IPv4 this means an internal device opens an internet bound session and the home router tracks that session, comes up with a NAT mapping, and allows the session bidirectionally until it is closed or times out. In IPv6 this means an internal devices opens an internet bound session and the home router tracks that session and allows the session bidirectionally until it is closed or times out. The only difference between the two is whether translation occurs, not whether inbound traffic is allowed.

In regards to inbound the differences (again, for home) are simply whether there is a static translation and implied allow to inbound initiate or whether there is just a static inbound allow.

In IPv4 just relying on NAT and not statefulness is incorrect, any packet that hits your router's external address with an internal destination will just route through. This failure scenario is a bit worse in IPv6 though as it's a lot harder to get a private IP destination very far over the IPv4 internet whereas in IPv6 these are all public. On the other hand you pretty much have to know the IPv6 address you're trying to reach beforehand anyways which means you're either physically attacking (i.e. bigger problems) or the client reached out to you already which limits the scope quite a bit. Either way it's still not secure to just rely on NAT.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: