[CentOS] Worrying after IPv6 day...

Thu Jun 7 15:48:50 UTC 2012
Giles Coochey <giles at coochey.net>

On 07/06/2012 16:36, John Doe wrote:
> Hi,
> after IPv6 day, I was wondering if our server were really secure...
> And, I know we should switch on IPv6 everywhere but... it will take some time.
> Usually, we disable(d) IPv6; so we are not running ip6tables.
> Can I start ip6tables in all cases (even if only IPv4) just to be on the safe side?
> On CentOS 6 servers, I use the --noipv6 in the kickstart files and I removed NetworkManager; but ifconfig still shows IPv6 adresses.
> And I wonder from where it gets them... based on the MAC?
> I guess they are not routable, so I should not get any traffic... right?
> Thx,
> JD
Your best bet with regard to protecting yourself from passing IPv6 
tunnelled traffic is to make sure you're blocking protocol 41. This will 
prevent rogue IPv6 tunnels forming across your IPv4 network. You don't 
need ip6tables to do this.

If your other managed endpoints are not running IPv6 and you're blocking 
protocol 41 (note this is not port 41, but _protocol_ 41) then you 
should mitigate most of the IPv6 issues. I would normally assume that 
your demarc points have a default policy to drop unknown / unspecified 


Giles Coochey, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
giles at coochey.net