[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Mon Dec 6 15:12:33 UTC 2010
David Sommerseth <dazo at users.sourceforge.net>

On 05/12/10 12:50, Rudi Ahlers wrote:
> Seeing as IPV4 is near it's end of life
> (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm),
> I'm curios as who know whether everyone is ready for the changeover to
> IPV6?
> 
> Is anyone using it in production already, and what are your experiences with it?
> 

I am using IPv6 quite frequently now, mostly at home where I use
Hurricane Electric/Tunnelbroker, configured on a OpenWRT router.  I have
full stateless autoconfiguration running and all connected devices gets
IPv6 access instantly.  I even have an IPv6 enabled OpenVPN server
running on this router, so I get IPv6 access via this router and to my
internal boxes as well.

I also have a CentOS5.5 firewall which I connect to via SSH over IPv6 on
a remote site.  I have not implemented IPv6 support internally on that
site, due to the lack of proper stateful packet inspection (SPI) in
iptables.  That's why I'm waiting for CentOS6, as that will remove this
obstacle.  SPI support came first in 2.6.20-something for IPv6 and it's
been considered too hard to backport that feature to the 2.6.18 kernels
which RHEL5/CentOS5 is based on.  However, stateless firewalling do work.

Further I have a Gentoo based firewall on yet another remote site, which
do have a 2.6.30-something kernel with proper IPv6 SPI support in
iptables.  At the moment I'm only accessing it SSH over IPv6, but I'm
working on setting up IPv6 access for VPN, http/https and e-mail
services there.

There are some security considerations though, related to stateless auto
configuration.  Currently whichever client on a local network may start
a radvd process which will announce where the default GW can be found -
this redirecting IPv6 traffic via a hostile gateway.  But I believe
people are trying to solve this as well.  One approach is to have an
auto-responder which will send out invalidation broadcasts on new router
broadcasts.  In such a scenario an attacker may do the same as well, and
then you're getting closer to the same chaos you may get by having two
DHCP servers on the same subnet.

However, that issue is only relevant on local networks and can't be
performed as an attack from a different subnet.

In my point of view, IPv6 is ready for prime-time.  CentOS5/RHEL5 and
older is not completely up-to-shape, due to the lack of SPI support in
iptables.  But RHEL6 and the coming CentOS6 should be good to go.


kind regards,

David Sommerseth