[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Adam Tauno Williams awilliam at whitemice.org
Tue Dec 7 16:07:53 UTC 2010


On Tue, 2010-12-07 at 10:49 -0500, Bob McConnell wrote: 
> > There _is_ more information leakage with ipv6, in the sense that you are 
> > using a real ip from an internal machine on the connection. But the 
> > point is that the security benefit of that is largely illusory, security
> > by obscurity.
> No, it is not FUD, 

It is FUD.

> it is a real concern by people with much to lose. 
> Those of you evangelizing this new, and still unproven technology can't 
> seem to recognize this simple fact.

Calling IPv6 "unproved" is absurd.  It is widely deployed and used
extensively.  Security is/was taken very seriously in the design. 

> I consider that information leakage to be very significant. 

You have a huge address pool - periodically change your address if you
feel that is significant.  That certainly adds more obfuscation than
IPv4 NAT ever did.

> It advertises the presence of another computer with explicit information on 
> where to reach it.

You already do that with every e-mail message and HTTP request.  Do you
obscure the User-Agent string in all your traffic?   (Your not using
Thunderbird 2.0.0.24 in X-Windows?) Because that information is just as
[if not more] valuable to a potential attacker than your firewalled
address.

> It increases my risk of being penetrated by someone I probably 
> don't want rummaging around in my files. But I don't see any additional 
> protection being offered to replace what is being taken away.

You are on a network - you can always disconnect the drive.  If you
really feel *NAT* is really that critical to hiding your data this seems
a very reasonable option.  Because NAT is providing only an extremely
trivial additive to security you feel you need.




More information about the CentOS mailing list