Shawn, In general the White House mandate on IPv6 is gaining traction - the National Laboratories, Universities, and some DoD agencies (DTRA) are running with the mandate. I would recommend that IPv6 be left on as long as ip6tables/firewall is running. Perhaps a RHEL 7 STIG requirement?
-Frank ----- Original Message ----- From: "Shawn Wells" <[email protected]> To: [email protected] Sent: Tuesday, March 25, 2014 4:41:51 PM Subject: Re: IPV6 and security? On 3/25/14, 3:46 PM, Andrew Gilmore wrote: > Had our IT folks explain that this 3+ year old push is now gaining > traction at my agency. > http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/transition-to-ipv6.pdf FWIW, RHT did USGv6 compliance back in 2012: - PR @ http://investors.redhat.com/releasedetail.cfm?releaseid=716806 - Detailed tech listing @ https://www.iol.unh.edu/services/testing/ipv6/usgv6tested.php?company=6164&type=Host#eqplist > Are the security concerns around IPV6 about the maturity of the > protocol stack, or the reduced utility of NAT, or? These sites cover most of the arguments I've heard: "4 IPv6 Security Fallacies" http://www.networkcomputing.com/ipv6/4-ipv6-security-fallacies/240159771 "7 IPv6 Security Risks" http://www.esecurityplanet.com/network-security/7-ipv6-security-risks.html Then, once you have the "negative" perspectives/arguments from the above URLs, a good overview was released by SANS: https://www.sans.org/reading-room/whitepapers/protocols/security-features-ipv6-380 In full disclosure, I've only had a single project deal with IPv6. And it was for a small, closed off network, over a year ago. At the time the environmental ecosystem of IPv6 was immature. Our SIEM didn't recognize IPv6 addresses well, so event correlation was frustrating. Beyond that we had little problems, however we didn't have a massive or complicated environment. _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide -- Frank Caviggia Consultant, Red Hat [email protected] (M) (571) 295-4560 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
