Mailinglist Archive: opensuse (1837 mails)

< Previous Next >
Re: [opensuse] Moving to IPv6
  • From: John Andersen <jsamyth@xxxxxxxxx>
  • Date: Thu, 09 Sep 2010 11:15:20 -0700
  • Message-id: <4C892438.8020403@xxxxxxxxx>
On 9/9/2010 3:24 AM, Adam Tauno Williams wrote:

Second, most organizations are far from ready, although some are more
ready than they know
since windows and linux and mac(i think) have been shipping IPv6
stacks for some time now.

It is actually funny. I've been to a couple organizations where I can
move around their network via IPv6 and they didn't even know it. And
their oblivious firewalls don't do anything to protect them. They
aren't ready in a very special kind of way - their security is
essentially broken. All because they aren't "ready" to support IPv6.

Exactly my point. Just because you have an ipv6 stack doesn't mean
you are ready to use it.

Until a couple years ago IPTables/Netfilter firewalls were essentially
useless when ipv6 was turned in the network. They didn't even
know there was traffic going on behind their back.

Yet that's what is built into virtually all cheap AND expensive routers.
Anything built prior to about 2006 which hasn't had a software
upgrade is at risk here. (And most routers NEVER get a software

There is no generic way to defend against it because a port that is open
is open regardless of whether you arrive via the ipv4 stack or the ipv6
stack. So you end up configuring a firewall on every device, especially
windows devices where many ports are open by default.

This is why the safest thing to do is to block all ipv6 traffic at
the perimeter until you can do a complete site survey or at least
assure yourself that your perimeter firewall can filter ipv6 traffic.
That way all you have to worry about is people like you on the inside. ;-)

At one time I had a Real Sig. Its been downsized.
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
This Thread