On Mon, 2010-12-06 at 16:12 +0100, David Sommerseth wrote: > On 05/12/10 12:50, Rudi Ahlers wrote: > There are some security considerations though, related to stateless auto > configuration. Currently whichever client on a local network may start > a radvd process which will announce where the default GW can be found - > this redirecting IPv6 traffic via a hostile gateway. But I believe > people are trying to solve this as well. One approach is to have an > auto-responder which will send out invalidation broadcasts on new router > broadcasts. In such a scenario an attacker may do the same as well, and > then you're getting closer to the same chaos you may get by having two > DHCP servers on the same subnet. > However, that issue is only relevant on local networks and can't be > performed as an attack from a different subnet. At least a large part of the solution to that problem is to police the layers below any version of IP. Typically by using 802.1x / EAP to authenticate the client to the switch. > In my point of view, IPv6 is ready for prime-time. CentOS5/RHEL5 and > older is not completely up-to-shape, due to the lack of SPI support in > iptables. But RHEL6 and the coming CentOS6 should be good to go. +1