Mailinglist Archive: opensuse (1599 mails)

< Previous Next >
Re: [opensuse] Practicalities of IPv6
On Sat, 2009-10-24 at 19:31 -0400, Adam Tauno Williams wrote:
On Sat, 2009-10-24 at 17:28 -0400, Ken Schneider - openSUSE wrote:
Hans Witvliet pecked at the keyboard and wrote:
On Sat, 2009-10-24 at 22:08 +0200, Per Jessen wrote:
Adam Tauno Williams wrote:
Just when doing a new project: some parts should have been delt with,
like security, support, documentation, IPv6.
Can someone explain what security IPv6 offers over IPv4?

None. The approach for security issues with IPv6 and IPv4 is the same.

As all they are
are addresses, with IPv6 offering a far greater range, I fail to see the
significance one would have over the other in that regard.

There is no significance. You need firewalls and policies just like
with IPv4. But if you block port XYZ for IPv4 you need to make sure
that port XYZ is blocked for IPv6 - the 'firewall' stacks are
independent on most platforms.

Tools like fwbuilder work with IPv6 as well as IPv4, so if you are
using old versions of those tools you just need to upgrade your tool

There are some security-aspects.
The good one, is that one doesn't need something like openvpn or ipsec
on top of IP(v4) as it is allready included in IPv6.

The bad on: you have to be aware that *current* firewall rules aply only
to IPv4 (and probably also host allow/deny). It means that in the early
days of migration (specially if people are not aware of providers
suddenly present a dual stack to their customers) will find their
network highly exposed.... (imho that's the main reason for getting your
feet wet early)

Oh, btw, it also solves the problem of having multiple apache
ssl-vhosts. As you get some millions of private routable addresses you
can give each apache-server its own address, instead of just a name.
So that's another good one.

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups