[CentOS] transition to ip6

Sat Mar 31 15:51:05 UTC 2012
Ryan Wagoner <rswagoner at gmail.com>

On Sat, Mar 31, 2012 at 11:37 AM, Les Mikesell <lesmikesell at gmail.com>wrote:

> On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel <lists at eckel-edv.de> wrote:
> >
> >> And recent computer or distributions is sitting their quietly waiting
> >> for it's IPv6 address to arrive - probably automatically, via auto
> >> discovery.  Clients are trivial.
> >
> > ... and that is EXACTLY the biggest problem with IPv6.
> >
> > 'Introducing' IPv6 happens automatically in most cases, and
> inadvertently as well. The moment ISPs will start supporting IPv6 for their
> customers will be a security nightmare, because IPv6 firewalls will not be
> configured on most networks, and the pseudo-security of NAT will no longer
> be in effect.
> >
> > In fact, a very large number of networks (especially those currently
> relying on NAT 'security') will be completely exposed to the Internet
> without any protection, and the bad thing is that you just don't have to do
> anything to make it 'work'. From one day to the other, IPv6 connectivity
> will be there and most people won't even notice until it's too late.
> >
> > One may only hope that home router manufacturers will deliver standard
> configurations with all incoming IPv6 traffic (except answers to outgoing
> packets, obviously) blocked by default, but I'm not very optimistic :-(
> >
> > So, before you do anything else, set up proper incoming and outgoing
> IPv6 port filtering rules on your perimeter routers. It will save you a
> hell of a headache.
>
> If the addresses are auto-discovered, how are you supposed to be able
> to configure filtering rules for what you want to let through?
>

They address is generated from the prefix advertised by the router and the
mac address. Later versions of Windows generate a temporarily random
address to increase privacy, which can be disabled. Of course you can still
assign static IPv6 addresses. I have done this for servers so I can easily
identify them as I use the last IPv4 octet in the IPv6 address.

Ryan