[CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Adam Tauno Williams
awilliam at whitemice.org
Tue Dec 7 16:07:53 UTC 2010
On Tue, 2010-12-07 at 10:49 -0500, Bob McConnell wrote:
> > There _is_ more information leakage with ipv6, in the sense that you are
> > using a real ip from an internal machine on the connection. But the
> > point is that the security benefit of that is largely illusory, security
> > by obscurity.
> No, it is not FUD,
It is FUD.
> it is a real concern by people with much to lose.
> Those of you evangelizing this new, and still unproven technology can't
> seem to recognize this simple fact.
Calling IPv6 "unproved" is absurd. It is widely deployed and used
extensively. Security is/was taken very seriously in the design.
> I consider that information leakage to be very significant.
You have a huge address pool - periodically change your address if you
feel that is significant. That certainly adds more obfuscation than
IPv4 NAT ever did.
> It advertises the presence of another computer with explicit information on
> where to reach it.
You already do that with every e-mail message and HTTP request. Do you
obscure the User-Agent string in all your traffic? (Your not using
Thunderbird 2.0.0.24 in X-Windows?) Because that information is just as
[if not more] valuable to a potential attacker than your firewalled
address.
> It increases my risk of being penetrated by someone I probably
> don't want rummaging around in my files. But I don't see any additional
> protection being offered to replace what is being taken away.
You are on a network - you can always disconnect the drive. If you
really feel *NAT* is really that critical to hiding your data this seems
a very reasonable option. Because NAT is providing only an extremely
trivial additive to security you feel you need.
More information about the CentOS
mailing list