I while ago I got into a discussion with one of my customers regarding ipv6. He told me that one reason not to migrate to ipv6 was for security.
– I dont want to tell the entire world what IP addresses I have on my servers. And when using ipv4 and NAT my internal ip addresses are hidden.
The discussion was interrupted and I didnt get any chance to finish it.
When using private ipv4-addresses on your LAN i can assume that you have any of these addresses:
So, how many addresses do you have to choose from? Lets count (roughly!):
- 10.0.0.0/8, that is 256 * 256 * 256 addresses, 16 777 216 available addresses
- 172.16.0.0/12, that is 16 * 256 * 256 addresses, 1 048 576
- 192.168.0.0/16, that is 256 * 256 addresses, 65 536.
That gives us a total sum of 17 891 328 available addresses. That´s a lot, isnt it?
But what if you get yourself a nice little pool of ipv6-addresses? For various reasons we can be pretty sure that you will get a /48 network from your ISP. Then you will probably divide this into one or many /64-networks on your internal LAN. So, how many addresses are there available?
First of all, dividing that /48-range into /64-subnets will give you 65536 different available networks. Next, an ipv6-address is 128 bits long. With 64 bits for specifying the network part you will have 64 bits left for addressing each individual host on your internal network. And 64 bits gives us 18446744073709551616 unique combinations. So that is how many addresses you have available in each subnet when using ipv6.
So, if you see it as a security benefit to hide your sensitive servers addresses, which do you prefer? ipv4 or ipv6?
If a hacker would portscan your ipv6-range, how long will it take? Lets assume that he scans 100 addresses per second, then it will take him 5 849 424 173 years(*). And that should be compared to the 50 hours it will take to port scan all private ipv4-addresses mentioned above.
And besides. That attack would probably be performed from internet. How many public ipv4-addresses do you have? It will be enough to portscan them. 100 addresses per seconds, you do the math. 🙂