Called Rackspace support. Turns out I owed them $7 due to a bad card number. Signed back up with the developer's discount! I really appreciate the fact Rackspace has added support for IPV6.

I wasn't aware of this, and perhaps it's a 'feature', but all my boxes in my house are wide open to the Internet over it. Investigating...

Depending on what your router is running (hopefully OpenWRT), ping6/ICMPv6 should be allowed to any host by default. Check out your firewall rules and see what it says there. ICMPv6 is an important part of IPv6, and in general not being able to ping something isn't really a security gain, so much as a usability loss.

On my OpenWRT setup, the default is to rate limit ICMPv6 to 1000 requests/second and to limit the response types.

I'm able to SSH into my internal servers. Configuring OpenStack now to provision the addresses for instances as well.

I have an Asus RT-AC66U. Tried to flash with OpenWRT and a few others and failed a few months ago. It would appear it DOES NOT have a firewall enabled, so I'm wide open, so to speak.

Yeah, I think this is an issue with the router (I have it too). I was using a tunnel and had to turn it off because you can't get it to go through the firewall.

I think you can fix it if you telnet into it and manually set up iptables properly, but it overwrites the configuration on update.

Pretty poor form that ASUS haven't fixed that yet... It's annoying because otherwise it's a very nice router.

Ooh, that's not good. I would suggest you put up a firewall directly on as many devices as you can. Then, try to get a router upgrade, or a router that can handle an IPv6 firewall. I think I know the router you have and I believe TomatoUSB can run on it, which has ip6tables installed.

I know it seems like it's not good, but I was thinking about it and even with Comcast's /64 aggregate, I have a billion BILLION addresses available inside my network. If you could scan at a billion addresses a second, it would take 30 years to scan all of Comcast's IPV6 addresses. That's crazy.

Well, not really. The first 64 bits are not all possible. They are subdivided, since some addresses are link-local, some are multicast, etc. Then, Comcast only has a certain allocation of that. On top of that, could one find a patter in how they allocate their addresses?

The second 64 bits are also not quite random. Most of your devices will autoconfigure using radvd. This means that the second 64 bits depend on their MAC address. Now, if I knew of an exploit to, say, a printer or a NAS device, I would know the MAC address range. My guess is that I could probably reduce the 128 bit address space to something like 100 or even 90 bits.

Second, and this makes it all the above a moot point, don't your devices connect to the internet? Any time they connect to a site, that site knows the IP address and that data may be used either explicitly or leaked and used by someone else. Everyone between you and the site also knows the address.

Lastly, if you ever set up a DNS record for any of these addresses, they are then visible to others even with some scanning if you don't ever publish the actual names.

Long story short, there is hoping you don't get hacked and there is knowing you have a firewall that only allows what you want in.

Sure.. got a bunch of VMs&machines I can test from.

But first order you could just traceroute with Sixxs[0]. That way you will at least know if the icmp6 packets reach their target unharmed. Your router might still be blocking all incoming connections per default (which is probably a good idea for home networks).

[0]https://www.sixxs.net/tools/traceroute/

Sure; drop me a mail and I can test from the UK if that's useful.

(Miredo tunnel here at home, or native IPv6 connectivity on my vps provider - Bytemark, in Manchester, UK.)

Though I'm just about to sleep so it'll be ten hours or so ;)

Thanks for the offer. Got Rackspace going again and tested. Wide open. O_o