Re: IPV4 is nearly depleted, are you ready for IPV6?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, 2010-12-06 at 16:12 +0100, David Sommerseth wrote: 
> On 05/12/10 12:50, Rudi Ahlers wrote:
> There are some security considerations though, related to stateless auto
> configuration.  Currently whichever client on a local network may start
> a radvd process which will announce where the default GW can be found -
> this redirecting IPv6 traffic via a hostile gateway.  But I believe
> people are trying to solve this as well.  One approach is to have an
> auto-responder which will send out invalidation broadcasts on new router
> broadcasts.  In such a scenario an attacker may do the same as well, and
> then you're getting closer to the same chaos you may get by having two
> DHCP servers on the same subnet.
> However, that issue is only relevant on local networks and can't be
> performed as an attack from a different subnet.

At least a large part of the solution to that problem is to police the
layers below any version of IP. Typically by using 802.1x / EAP to
authenticate the client to the switch. 

> In my point of view, IPv6 is ready for prime-time.  CentOS5/RHEL5 and
> older is not completely up-to-shape, due to the lack of SPI support in
> iptables.  But RHEL6 and the coming CentOS6 should be good to go.

+1

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux