1 |
On 15/02/11 12:53, Ed W wrote: |
2 |
> |
3 |
>>> Tests done by a colleague show that, right now, the amount of inbound |
4 |
>>> ipv6 |
5 |
>>> traffic on his systems is none but I can perfectly understand your |
6 |
>>> concerns |
7 |
>>> even if they should apply only to the network stack itself, as the |
8 |
>>> daemons |
9 |
>>> listening to v6 should be the same that listen to v4, once configured |
10 |
>>> for dual |
11 |
>>> stack. |
12 |
>>> |
13 |
>>> Anyway, ipv6 has a chance to become relevant by the end of the year |
14 |
>>> as China |
15 |
>>> and India (among others) won't have quite enough v4 addresses in |
16 |
>>> stock to |
17 |
>>> support the growth of their networks. |
18 |
>> This is precisely the point. While on the one hand, it has little |
19 |
>> current use and does potentially increase attack vectors, on the other |
20 |
>> hand, ipv4 is depleted and ipv6 is on the horizon. |
21 |
>> |
22 |
>> I looked at gentoo bugs for ipv6 and didn't find anything serious. I'm |
23 |
>> still leaning towards unmasking it. |
24 |
>> |
25 |
> |
26 |
> It's the whole catch 22 that there isn't any traffic because it's not |
27 |
> deployed and not deployed because there is no one to talk to... |
28 |
> |
29 |
> I think we all have to transition to ipv6 quite quickly so the only |
30 |
> sensible option is to bite the bullet and enable it. I have it enabled |
31 |
> on all my hardened servers... |
32 |
> |
33 |
> I would have thought the sensible rollout strategy for organisations is |
34 |
> to start gently with internal only deployments to get experience and |
35 |
> gradually incorporate the rest of the internet as it becomes more |
36 |
> common. Hopefully in this way most problems will be limited to internal |
37 |
> only at first... |
38 |
> |
39 |
|
40 |
I am running 2 boxen with hardened gentoo with ipv6 enabled (one native, |
41 |
one through a tunnel broker). I've seen no issues with ipv6 during |
42 |
deployment or while running services. |
43 |
|
44 |
A third box is ipv4 only, but was expected to get ipv6 connectivity |
45 |
quite soon after deploymenty. I disabled ipv6 USE flag and recompiled |
46 |
all affected packages some time after delpoyment. The only reason to do |
47 |
this was that logs were 'flooded' because applications tried to load the |
48 |
net-pf-10 kernel module. There probably is a more elegant way to fix |
49 |
that minor issue. I did not test a setup where the ipv6 kernel stuff is |
50 |
enabled/loaded when connectivity is not available (other than in localhost). |
51 |
|
52 |
-- |
53 |
Tom |