On Sat, Mar 31, 2012 at 11:37 AM, Les Mikesell <lesmikesell at gmail.com>wrote: > On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel <lists at eckel-edv.de> wrote: > > > >> And recent computer or distributions is sitting their quietly waiting > >> for it's IPv6 address to arrive - probably automatically, via auto > >> discovery. Clients are trivial. > > > > ... and that is EXACTLY the biggest problem with IPv6. > > > > 'Introducing' IPv6 happens automatically in most cases, and > inadvertently as well. The moment ISPs will start supporting IPv6 for their > customers will be a security nightmare, because IPv6 firewalls will not be > configured on most networks, and the pseudo-security of NAT will no longer > be in effect. > > > > In fact, a very large number of networks (especially those currently > relying on NAT 'security') will be completely exposed to the Internet > without any protection, and the bad thing is that you just don't have to do > anything to make it 'work'. From one day to the other, IPv6 connectivity > will be there and most people won't even notice until it's too late. > > > > One may only hope that home router manufacturers will deliver standard > configurations with all incoming IPv6 traffic (except answers to outgoing > packets, obviously) blocked by default, but I'm not very optimistic :-( > > > > So, before you do anything else, set up proper incoming and outgoing > IPv6 port filtering rules on your perimeter routers. It will save you a > hell of a headache. > > If the addresses are auto-discovered, how are you supposed to be able > to configure filtering rules for what you want to let through? > They address is generated from the prefix advertised by the router and the mac address. Later versions of Windows generate a temporarily random address to increase privacy, which can be disabled. Of course you can still assign static IPv6 addresses. I have done this for servers so I can easily identify them as I use the last IPv4 octet in the IPv6 address. Ryan