On Sat, Mar 31, 2012 at 8:06 AM, Peter Eckel <li...@eckel-edv.de> wrote:
>
>> And recent computer or distributions is sitting their quietly waiting
>> for it's IPv6 address to arrive - probably automatically, via auto
>> discovery. Clients are trivial.
>
> ... and that is EXACTLY the biggest problem with IPv6.
>
> 'Introducing' IPv6 happens automatically in most cases, and inadvertently as
> well. The moment ISPs will start supporting IPv6 for their customers will be
> a security nightmare, because IPv6 firewalls will not be configured on most
> networks, and the pseudo-security of NAT will no longer be in effect.
>
> In fact, a very large number of networks (especially those currently relying
> on NAT 'security') will be completely exposed to the Internet without any
> protection, and the bad thing is that you just don't have to do anything to
> make it 'work'. From one day to the other, IPv6 connectivity will be there
> and most people won't even notice until it's too late.
>
> One may only hope that home router manufacturers will deliver standard
> configurations with all incoming IPv6 traffic (except answers to outgoing
> packets, obviously) blocked by default, but I'm not very optimistic :-(
>
> So, before you do anything else, set up proper incoming and outgoing IPv6
> port filtering rules on your perimeter routers. It will save you a hell of a
> headache.
If the addresses are auto-discovered, how are you supposed to be able
to configure filtering rules for what you want to let through?
--
Les Mikesell
lesmikes...@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
