On Sat, 2012-03-31 at 15:06 +0200, Peter Eckel wrote:
Hi Adam,
And recent computer or distributions is sitting their quietly waiting for it's IPv6 address to arrive - probably automatically, via auto discovery. Clients are trivial.
... and that is EXACTLY the biggest problem with IPv6.
You can explicitly turn in off on every type of client. Then wait till you want to do it.
'Introducing' IPv6 happens automatically in most cases, and inadvertently as well. The moment ISPs will start supporting IPv6 for their customers will be a security nightmare, because IPv6 firewalls will not be configured on most networks, and the pseudo-security of NAT will no longer be in effect.
False. The same firewall rules will apply as before [and NAT isn't psuedo-security - NAT IS *NOT* *NOT* *NOT* A SECURITY FEATURE; please, let's not have to go over that again].
Your DOCSIS IPv6 capable black-box will apply the same filters to IPv6 traffic that it does to IPv4 traffic. As will you Vista and Windows 7 workstations.
In fact, a very large number of networks (especially those currently relying on NAT 'security')
There is no such thing as "NAT security" for them to rely on. If that is their security model the administrator is incompetent and should be fired immediately.
will be completely exposed to the Internet without any protection,
False.
and the bad thing is that you just don't have to do anything to make it 'work'. From one day to the other, IPv6 connectivity will be there and most people won't even notice until it's too late.
Or they won't notice and have nothing more to worry about than they did before.
One may only hope that home router manufacturers will deliver standard configurations with all incoming IPv6 traffic (except answers to outgoing packets, obviously) blocked by default, but I'm not very optimistic :-(
Well, don't worry. Because that is exactly what happens. An IPv6 stateful firewall is just as effective as an IPv4 stateful firewall.
So, before you do anything else, set up proper incoming and outgoing IPv6 port filtering rules on your perimeter routers. It will save you a hell of a headache.
Most just consumer routers simply mirror the IPv4 and IPv6 filters. If you have a managed network with 'real' routers your administrators have probably already done that; if you are unsure - ask them.