[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Bob McConnell rmcconne at lightlink.com
Tue Dec 7 15:49:02 UTC 2010


Gavin Carr wrote:
> On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote:
>>> 3) When I connect my IPV6 refrigerator with its automatic inventory
>>> system tracking every RFID-enabled carrot I use, won't I be making my
>>> shopping habits visible to all those annoying advertisers?  Or, in
>>> other words, am I compromising my privacy?  Actually, although such
>>> dissemination of information can be blocked by a correctly designed
>>> firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by
>>> <your-favorite-commercial-site>" that comes with your ISP contract,
>>> would err on the side of promiscuity.
>> Why yes, yes you are giving up some of your privacy. And unless you have
>> the time and are willing and able to learn how to configure firewalls
>> for each device and application you use, or have the money to pay
>> someone else you trust to do it for you, there is very little to protect
>> you from the rest of the world.
> 
> That's at least overstated, and at worst complete FUD. Generic modems and
> routers will be configured as they are now - with stateful firewalls
> blocking all incoming traffic, except for streams initiated internally. 
> Outgoing connections that would have worked before via NAT continue to
> work, but without NAT. Stateful firewalls are still stateful firewalls.
> 
> Where are you giving up some of your privacy? The number of hosts on
> your internal network? So allocate 256 ips (or 65k, if you like) to every
> host and use a random ip from that set for every distinct service or 
> outgoing connection.
> 
> There _is_ more information leakage with ipv6, in the sense that you are 
> using a real ip from an internal machine on the connection. But the 
> point is that the security benefit of that is largely illusory, security
> by obscurity.

No, it is not FUD, it is a real concern by people with much to lose. 
Those of you evangelizing this new, and still unproven technology can't 
seem to recognize this simple fact.

I consider that information leakage to be very significant. It 
advertises the presence of another computer with explicit information on 
where to reach it. Regardless of the firewall, none of which are 
perfect, this increases the exposure of my systems in an adverse 
fashion. It increases my risk of being penetrated by someone I probably 
don't want rummaging around in my files. But I don't see any additional 
protection being offered to replace what is being taken away.

Bob McConnell
N2SPP



More information about the CentOS mailing list