On Sat, Mar 31, 2012 at 11:37 AM, Les Mikesell lesmikesell@gmail.comwrote:
On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel lists@eckel-edv.de wrote:
And recent computer or distributions is sitting their quietly waiting for it's IPv6 address to arrive - probably automatically, via auto discovery. Clients are trivial.
... and that is EXACTLY the biggest problem with IPv6.
'Introducing' IPv6 happens automatically in most cases, and
inadvertently as well. The moment ISPs will start supporting IPv6 for their customers will be a security nightmare, because IPv6 firewalls will not be configured on most networks, and the pseudo-security of NAT will no longer be in effect.
In fact, a very large number of networks (especially those currently
relying on NAT 'security') will be completely exposed to the Internet without any protection, and the bad thing is that you just don't have to do anything to make it 'work'. From one day to the other, IPv6 connectivity will be there and most people won't even notice until it's too late.
One may only hope that home router manufacturers will deliver standard
configurations with all incoming IPv6 traffic (except answers to outgoing packets, obviously) blocked by default, but I'm not very optimistic :-(
So, before you do anything else, set up proper incoming and outgoing
IPv6 port filtering rules on your perimeter routers. It will save you a hell of a headache.
If the addresses are auto-discovered, how are you supposed to be able to configure filtering rules for what you want to let through?
They address is generated from the prefix advertised by the router and the mac address. Later versions of Windows generate a temporarily random address to increase privacy, which can be disabled. Of course you can still assign static IPv6 addresses. I have done this for servers so I can easily identify them as I use the last IPv4 octet in the IPv6 address.
Ryan