-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Adam,
> You can explicitly turn in off on every type of client. Then wait till
> you want to do it.
agreed. The problem is that you can, and you actually *must* do it. Doing nothing leaves v6 on by default on most modern operating systems.
> False. The same firewall rules will apply as before
Unfortunately, this is only theoretically true.
> [and NAT isn't psuedo-security - NAT IS *NOT* *NOT* *NOT* A SECURITY
> FEATURE; please, let's not have to go over that again].
That's the meaning of 'pseudo', isn't it? :-)
> Your DOCSIS IPv6 capable black-box will apply the same filters to IPv6
> traffic that it does to IPv4 traffic. As will you Vista and Windows 7
> workstations.
I'm not talking about host-based packet filtering. Turn on IPv6 on a Cisco box, for example, and none of your packet filters will affect IPv6 traffic. Lots of home/small business routers show the same behaviour, except that you don't even have to turn on IPv6 routing, it's on by default.
> There is no such thing as "NAT security" for them to rely on. If that
> is their security model the administrator is incompetent and should be
> fired immediately.
Agreed.
>> be completely exposed to the Internet without any protection,
>
> False.
No. See above.
>> and the bad thing is that you just don't have to do anything to make
>> it 'work'. From one day to the other, IPv6 connectivity will be there
>> and most people won't even notice until it's too late.
>
> Or they won't notice and have nothing more to worry about than they did
> before.
Not if they either rely on NAT (which *many* home users do - and they are the security problem with respect to Botnets, not properly managed networks like yours and mine.
> Well, don't worry. Because that is exactly what happens. An IPv6
> stateful firewall is just as effective as an IPv4 stateful firewall.
Yes, as long as it's there.
> Most just consumer routers simply mirror the IPv4 and IPv6 filters. If
> you have a managed network with 'real' routers your administrators have
> probably already done that; if you are unsure - ask them.
I don't have to, as my introduction of IPv6 was some years ago. Telling people to just sit and wait is the worst you can do - at least I woudldn't trust a 'black box' router as far as I can throw it to actually implement v6 filter rules, especially since many of them are fairly old and not on the latest firmware level.
Best regards,
Peter.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAk95e5YACgkQ+8TW1Xhd1geRyACeKimmjPrrrYtSee/wNJmLP1NZ
k9gAoI8yGvEeVmfjXtqeEqMHx6PfrTUv
=kus4
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
