Adam Tauno Williams wrote: > On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: >>> IPv6 is not broken by design. NAT was implemented to extend the time >>> until IPv4 exhaustion. A side effect was hiding the internal IPv4 >>> address, which complicates a number of protocols like FTP and SIP. The >>> only downside I see is ISPs could try and charge based on the number >>> of IPv6 addresses being used. >> No, the downside is that each address used will be exposed to the world. > > False. That is *NOT* a downside. > > NAT is *NOT* a magic sauce - install a firewall [which you probably > already have]. Problem solved. > >> I consider that a serious security flaw. > > It is not. > >> Having my ISP know how many >> computers I have is a minor issue covered by the contract I have with >> them. > > So you want to cheap on the legal contract you agreed to? No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue. >> But having all of those addresses exposed to Russian mobsters, >> terrorists, crackers and everyone else that knows how to capture packets >> is another matter altogether. If IPv6 exposes that information to the >> world, it is definitely unsafe to use. > > The "Russian mobsters" can already do that; if you think NAT is > protecting you from that then you are mistaken. NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network. Not allowing the most popular OS on the network at all is another layer of protection. Keeping everything up to date is another. It is a well known and established process to keep my computers secure. But now you are taking away one of those layers without providing anything of equal strength to replace it. I fail to see how that is an improvement. However, it appears some of you are actually evangelists in disguise, and refuse to acknowledge any real concerns about this change. So it becomes pointless to continue the discussion. Bob McConnell N2SPP _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos