[CentOS] transition to ip6

Mon Apr 2 10:12:37 UTC 2012
Peter Eckel <lists at eckel-edv.de>

Hash: SHA1

Hi Adam, 

> You can explicitly turn in off on every type of client.  Then wait till
> you want to do it.

agreed. The problem is that you can, and you actually *must* do it. Doing nothing leaves v6 on by default on most modern operating systems. 

> False.  The same firewall rules will apply as before

Unfortunately, this is only theoretically true. 

> [and NAT isn't psuedo-security - NAT IS *NOT* *NOT* *NOT* A SECURITY
> FEATURE; please, let's not have to go over that again].

That's the meaning of 'pseudo', isn't it? :-)

> Your DOCSIS IPv6 capable black-box will apply the same filters to IPv6
> traffic that it does to IPv4 traffic.  As will you Vista and Windows 7
> workstations.

I'm not talking about host-based packet filtering. Turn on IPv6 on a Cisco box, for example, and none of your packet filters will affect IPv6 traffic. Lots of home/small business routers show the same behaviour, except that you don't even have to turn on IPv6 routing, it's on by default. 

> There is no such thing as "NAT security" for them to rely on.  If that
> is their security model the administrator is incompetent and should be
> fired immediately.


>> be completely exposed to the Internet without any protection,
> False.

No. See above.

>> and the bad thing is that you just don't have to do anything to make
>> it 'work'. From one day to the other, IPv6 connectivity will be there
>> and most people won't even notice until it's too late. 
> Or they won't notice and have nothing more to worry about than they did
> before.

Not if they either rely on NAT (which *many* home users do - and they are the security problem with respect to Botnets, not properly managed networks like yours and mine.

> Well, don't worry.  Because that is exactly what happens.  An IPv6
> stateful firewall is just as effective as an IPv4 stateful firewall.

Yes, as long as it's there. 

> Most just consumer routers simply mirror the IPv4 and IPv6 filters.  If
> you have a managed network with 'real' routers your administrators have
> probably already done that; if you are unsure - ask them.

I don't have to, as my introduction of IPv6 was some years ago. Telling people to just sit and wait is the worst you can do - at least I woudldn't trust a 'black box' router as far as I can throw it to actually implement v6 filter rules, especially since many of them are fairly old and not on the latest firmware level. 

Best regards, 

Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org