-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Adam, > You can explicitly turn in off on every type of client. Then wait till > you want to do it. agreed. The problem is that you can, and you actually *must* do it. Doing nothing leaves v6 on by default on most modern operating systems. > False. The same firewall rules will apply as before Unfortunately, this is only theoretically true. > [and NAT isn't psuedo-security - NAT IS *NOT* *NOT* *NOT* A SECURITY > FEATURE; please, let's not have to go over that again]. That's the meaning of 'pseudo', isn't it? :-) > Your DOCSIS IPv6 capable black-box will apply the same filters to IPv6 > traffic that it does to IPv4 traffic. As will you Vista and Windows 7 > workstations. I'm not talking about host-based packet filtering. Turn on IPv6 on a Cisco box, for example, and none of your packet filters will affect IPv6 traffic. Lots of home/small business routers show the same behaviour, except that you don't even have to turn on IPv6 routing, it's on by default. > There is no such thing as "NAT security" for them to rely on. If that > is their security model the administrator is incompetent and should be > fired immediately. Agreed. >> be completely exposed to the Internet without any protection, > > False. No. See above. >> and the bad thing is that you just don't have to do anything to make >> it 'work'. From one day to the other, IPv6 connectivity will be there >> and most people won't even notice until it's too late. > > Or they won't notice and have nothing more to worry about than they did > before. Not if they either rely on NAT (which *many* home users do - and they are the security problem with respect to Botnets, not properly managed networks like yours and mine. > Well, don't worry. Because that is exactly what happens. An IPv6 > stateful firewall is just as effective as an IPv4 stateful firewall. Yes, as long as it's there. > Most just consumer routers simply mirror the IPv4 and IPv6 filters. If > you have a managed network with 'real' routers your administrators have > probably already done that; if you are unsure - ask them. I don't have to, as my introduction of IPv6 was some years ago. Telling people to just sit and wait is the worst you can do - at least I woudldn't trust a 'black box' router as far as I can throw it to actually implement v6 filter rules, especially since many of them are fairly old and not on the latest firmware level. Best regards, Peter. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk95e5YACgkQ+8TW1Xhd1geRyACeKimmjPrrrYtSee/wNJmLP1NZ k9gAoI8yGvEeVmfjXtqeEqMHx6PfrTUv =kus4 -----END PGP SIGNATURE-----