[CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Adam Tauno Williams
awilliam at whitemice.org
Mon Dec 6 15:16:57 UTC 2010
On Mon, 2010-12-06 at 16:12 +0100, David Sommerseth wrote:
> On 05/12/10 12:50, Rudi Ahlers wrote:
> There are some security considerations though, related to stateless auto
> configuration. Currently whichever client on a local network may start
> a radvd process which will announce where the default GW can be found -
> this redirecting IPv6 traffic via a hostile gateway. But I believe
> people are trying to solve this as well. One approach is to have an
> auto-responder which will send out invalidation broadcasts on new router
> broadcasts. In such a scenario an attacker may do the same as well, and
> then you're getting closer to the same chaos you may get by having two
> DHCP servers on the same subnet.
> However, that issue is only relevant on local networks and can't be
> performed as an attack from a different subnet.
At least a large part of the solution to that problem is to police the
layers below any version of IP. Typically by using 802.1x / EAP to
authenticate the client to the switch.
> In my point of view, IPv6 is ready for prime-time. CentOS5/RHEL5 and
> older is not completely up-to-shape, due to the lack of SPI support in
> iptables. But RHEL6 and the coming CentOS6 should be good to go.
+1
More information about the CentOS
mailing list