1 |
I can also verify that I used ipv6 to get the cert with he.net (with them as |
2 |
the tunnel broker) for whatever that's worth. |
3 |
|
4 |
-- Matthew Thode |
5 |
|
6 |
On Tue, Feb 15, 2011 at 07:17, Tom Hendrikx <tom@×××××××××.net> wrote: |
7 |
|
8 |
> On 15/02/11 12:53, Ed W wrote: |
9 |
> > |
10 |
> >>> Tests done by a colleague show that, right now, the amount of inbound |
11 |
> >>> ipv6 |
12 |
> >>> traffic on his systems is none but I can perfectly understand your |
13 |
> >>> concerns |
14 |
> >>> even if they should apply only to the network stack itself, as the |
15 |
> >>> daemons |
16 |
> >>> listening to v6 should be the same that listen to v4, once configured |
17 |
> >>> for dual |
18 |
> >>> stack. |
19 |
> >>> |
20 |
> >>> Anyway, ipv6 has a chance to become relevant by the end of the year |
21 |
> >>> as China |
22 |
> >>> and India (among others) won't have quite enough v4 addresses in |
23 |
> >>> stock to |
24 |
> >>> support the growth of their networks. |
25 |
> >> This is precisely the point. While on the one hand, it has little |
26 |
> >> current use and does potentially increase attack vectors, on the other |
27 |
> >> hand, ipv4 is depleted and ipv6 is on the horizon. |
28 |
> >> |
29 |
> >> I looked at gentoo bugs for ipv6 and didn't find anything serious. I'm |
30 |
> >> still leaning towards unmasking it. |
31 |
> >> |
32 |
> > |
33 |
> > It's the whole catch 22 that there isn't any traffic because it's not |
34 |
> > deployed and not deployed because there is no one to talk to... |
35 |
> > |
36 |
> > I think we all have to transition to ipv6 quite quickly so the only |
37 |
> > sensible option is to bite the bullet and enable it. I have it enabled |
38 |
> > on all my hardened servers... |
39 |
> > |
40 |
> > I would have thought the sensible rollout strategy for organisations is |
41 |
> > to start gently with internal only deployments to get experience and |
42 |
> > gradually incorporate the rest of the internet as it becomes more |
43 |
> > common. Hopefully in this way most problems will be limited to internal |
44 |
> > only at first... |
45 |
> > |
46 |
> |
47 |
> I am running 2 boxen with hardened gentoo with ipv6 enabled (one native, |
48 |
> one through a tunnel broker). I've seen no issues with ipv6 during |
49 |
> deployment or while running services. |
50 |
> |
51 |
> A third box is ipv4 only, but was expected to get ipv6 connectivity |
52 |
> quite soon after deploymenty. I disabled ipv6 USE flag and recompiled |
53 |
> all affected packages some time after delpoyment. The only reason to do |
54 |
> this was that logs were 'flooded' because applications tried to load the |
55 |
> net-pf-10 kernel module. There probably is a more elegant way to fix |
56 |
> that minor issue. I did not test a setup where the ipv6 kernel stuff is |
57 |
> enabled/loaded when connectivity is not available (other than in |
58 |
> localhost). |
59 |
> |
60 |
> -- |
61 |
> Tom |
62 |
> |
63 |
> |