On Mon, 2010-12-06 at 16:12 +0100, David Sommerseth wrote:
On 05/12/10 12:50, Rudi Ahlers wrote: There are some security considerations though, related to stateless auto configuration. Currently whichever client on a local network may start a radvd process which will announce where the default GW can be found - this redirecting IPv6 traffic via a hostile gateway. But I believe people are trying to solve this as well. One approach is to have an auto-responder which will send out invalidation broadcasts on new router broadcasts. In such a scenario an attacker may do the same as well, and then you're getting closer to the same chaos you may get by having two DHCP servers on the same subnet. However, that issue is only relevant on local networks and can't be performed as an attack from a different subnet.
At least a large part of the solution to that problem is to police the layers below any version of IP. Typically by using 802.1x / EAP to authenticate the client to the switch.
In my point of view, IPv6 is ready for prime-time. CentOS5/RHEL5 and older is not completely up-to-shape, due to the lack of SPI support in iptables. But RHEL6 and the coming CentOS6 should be good to go.
+1