-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Adam,
You can explicitly turn in off on every type of client. Then wait till you want to do it.
agreed. The problem is that you can, and you actually *must* do it. Doing nothing leaves v6 on by default on most modern operating systems.
False. The same firewall rules will apply as before
Unfortunately, this is only theoretically true.
[and NAT isn't psuedo-security - NAT IS *NOT* *NOT* *NOT* A SECURITY FEATURE; please, let's not have to go over that again].
That's the meaning of 'pseudo', isn't it? :-)
Your DOCSIS IPv6 capable black-box will apply the same filters to IPv6 traffic that it does to IPv4 traffic. As will you Vista and Windows 7 workstations.
I'm not talking about host-based packet filtering. Turn on IPv6 on a Cisco box, for example, and none of your packet filters will affect IPv6 traffic. Lots of home/small business routers show the same behaviour, except that you don't even have to turn on IPv6 routing, it's on by default.
There is no such thing as "NAT security" for them to rely on. If that is their security model the administrator is incompetent and should be fired immediately.
Agreed.
be completely exposed to the Internet without any protection,
False.
No. See above.
and the bad thing is that you just don't have to do anything to make it 'work'. From one day to the other, IPv6 connectivity will be there and most people won't even notice until it's too late.
Or they won't notice and have nothing more to worry about than they did before.
Not if they either rely on NAT (which *many* home users do - and they are the security problem with respect to Botnets, not properly managed networks like yours and mine.
Well, don't worry. Because that is exactly what happens. An IPv6 stateful firewall is just as effective as an IPv4 stateful firewall.
Yes, as long as it's there.
Most just consumer routers simply mirror the IPv4 and IPv6 filters. If you have a managed network with 'real' routers your administrators have probably already done that; if you are unsure - ask them.
I don't have to, as my introduction of IPv6 was some years ago. Telling people to just sit and wait is the worst you can do - at least I woudldn't trust a 'black box' router as far as I can throw it to actually implement v6 filter rules, especially since many of them are fairly old and not on the latest firmware level.
Best regards,
Peter.