On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel <li...@eckel-edv.de> wrote: > >> And recent computer or distributions is sitting their quietly waiting >> for it's IPv6 address to arrive - probably automatically, via auto >> discovery. Clients are trivial. > > ... and that is EXACTLY the biggest problem with IPv6. > > 'Introducing' IPv6 happens automatically in most cases, and inadvertently as > well. The moment ISPs will start supporting IPv6 for their customers will be > a security nightmare, because IPv6 firewalls will not be configured on most > networks, and the pseudo-security of NAT will no longer be in effect. > > In fact, a very large number of networks (especially those currently relying > on NAT 'security') will be completely exposed to the Internet without any > protection, and the bad thing is that you just don't have to do anything to > make it 'work'. From one day to the other, IPv6 connectivity will be there > and most people won't even notice until it's too late. > > One may only hope that home router manufacturers will deliver standard > configurations with all incoming IPv6 traffic (except answers to outgoing > packets, obviously) blocked by default, but I'm not very optimistic :-( > > So, before you do anything else, set up proper incoming and outgoing IPv6 > port filtering rules on your perimeter routers. It will save you a hell of a > headache.
If the addresses are auto-discovered, how are you supposed to be able to configure filtering rules for what you want to let through? -- Les Mikesell lesmikes...@gmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos