On 05/12/10 12:50, Rudi Ahlers wrote:
Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Day...), I'm curios as who know whether everyone is ready for the changeover to IPV6?
Is anyone using it in production already, and what are your experiences with it?
I am using IPv6 quite frequently now, mostly at home where I use Hurricane Electric/Tunnelbroker, configured on a OpenWRT router. I have full stateless autoconfiguration running and all connected devices gets IPv6 access instantly. I even have an IPv6 enabled OpenVPN server running on this router, so I get IPv6 access via this router and to my internal boxes as well.
I also have a CentOS5.5 firewall which I connect to via SSH over IPv6 on a remote site. I have not implemented IPv6 support internally on that site, due to the lack of proper stateful packet inspection (SPI) in iptables. That's why I'm waiting for CentOS6, as that will remove this obstacle. SPI support came first in 2.6.20-something for IPv6 and it's been considered too hard to backport that feature to the 2.6.18 kernels which RHEL5/CentOS5 is based on. However, stateless firewalling do work.
Further I have a Gentoo based firewall on yet another remote site, which do have a 2.6.30-something kernel with proper IPv6 SPI support in iptables. At the moment I'm only accessing it SSH over IPv6, but I'm working on setting up IPv6 access for VPN, http/https and e-mail services there.
There are some security considerations though, related to stateless auto configuration. Currently whichever client on a local network may start a radvd process which will announce where the default GW can be found - this redirecting IPv6 traffic via a hostile gateway. But I believe people are trying to solve this as well. One approach is to have an auto-responder which will send out invalidation broadcasts on new router broadcasts. In such a scenario an attacker may do the same as well, and then you're getting closer to the same chaos you may get by having two DHCP servers on the same subnet.
However, that issue is only relevant on local networks and can't be performed as an attack from a different subnet.
In my point of view, IPv6 is ready for prime-time. CentOS5/RHEL5 and older is not completely up-to-shape, due to the lack of SPI support in iptables. But RHEL6 and the coming CentOS6 should be good to go.
kind regards,
David Sommerseth