This is lovely for end users but for server admin, how do you firewall countries...

marcosdumay · on July 6, 2015

What?

Differently from IPv4, IPv6 addresses are strictly hierarchical. You block areas by blocking their root network.

Now, why do you need to firewall entire countries again? Are you working at the Great Firewall of China or some similar project?

worklogin · on July 6, 2015

How about working for a company with sensitive defense or financial information, for which access from China/Russia/Ukraine is completely unnecessary?

GeoIP blocking is not one's only defense, of course, but it's one of many tools to keep the low-to-mid level groups at bay.

mhurron · on July 7, 2015

My firewall blocks China, a lot of the former Soviet countries and a few others to block spam and other traffic hitting my home network because I have no legitimate reason to be communicating with them.

But yes, this type of blocking with IPv6 should be eaiser.

bluecmd · on July 6, 2015

You.. don't track connections? Because why would you?

paralelogram · on July 6, 2015

https://www.arin.net/policy/archive/ipv6_policy.html#34

X-Istence · on July 7, 2015

You block the top-level /16 or whatever has been assigned to the regional registry for the region you want to firewall. Instead of multiple IPv4 ranges you will simply block a single IP/netmask ;-)

Your firewall rules will actually get smaller!

api · on July 6, 2015

You don't. You fix security more fundamentally instead of doing ham-fisted things like that. IPv6 is going to require that we stop using IP-based hacks as a substitute for actual authentication and robust protocols.