[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Mon Dec 6 15:16:57 UTC 2010
Adam Tauno Williams <awilliam at whitemice.org>

On Mon, 2010-12-06 at 16:12 +0100, David Sommerseth wrote: 
> On 05/12/10 12:50, Rudi Ahlers wrote:
> There are some security considerations though, related to stateless auto
> configuration.  Currently whichever client on a local network may start
> a radvd process which will announce where the default GW can be found -
> this redirecting IPv6 traffic via a hostile gateway.  But I believe
> people are trying to solve this as well.  One approach is to have an
> auto-responder which will send out invalidation broadcasts on new router
> broadcasts.  In such a scenario an attacker may do the same as well, and
> then you're getting closer to the same chaos you may get by having two
> DHCP servers on the same subnet.
> However, that issue is only relevant on local networks and can't be
> performed as an attack from a different subnet.

At least a large part of the solution to that problem is to police the
layers below any version of IP. Typically by using 802.1x / EAP to
authenticate the client to the switch. 

> In my point of view, IPv6 is ready for prime-time.  CentOS5/RHEL5 and
> older is not completely up-to-shape, due to the lack of SPI support in
> iptables.  But RHEL6 and the coming CentOS6 should be good to go.