On Sun, 2009-10-25 at 14:23 +0100, Per Jessen wrote:
Hans Witvliet wrote:
It means that in the early days of migration (specially if people are not aware of providers suddenly present a dual stack to their customers) will find their network highly exposed.... (imho that's the main reason for getting your feet wet early)
Is that a _real_ issue to worry about, Hans? If a customer is IPv4-only, and his provider decides to offer IPv6 too without telling the customer, I don't see that changing anything for the customer. His network equipment isn't just going to switch into dual-stack just like that. For instance, my provider set up IPv6 on my ADSL line Thursday night, and didn't tell me until Friday morning. I can assure you it did not affect my site security at all.
I think so. Systems can have their dhcp-set-up in different ways: IPV4-ONLY, IPV6-ONLY and both IPv4 AND IPv6. As long as your provider only hands out v4 addresses, all works well, and the client just keeps on polling for ever. But as soon as your ISP "sees the light" and gives you both an v4 AND and v6 address, and your v6 rule-set is "accept anyone from anywhere" you might (!) end up in shit-creek. <<<<<< find your system compromised. Unless you have your ip6tables rule set changed to default drop-anything, which implies that one has started to think/do something with IPv6, which was the main issue i made.
Oh, btw, it also solves the problem of having multiple apache ssl-vhosts.
I was just reading an article about that in the most recent c't (#23 - "SSL fuer virtuelle Server"). It mentions something called "TLS Server Name Indication" - seems like Apache has had support since 2.2.12.
yes, there are some workarounds, with address-mod-rewrite, but then you use one certificate, for all webservers. And with IPv6 you simple can give all webservers their own legitimate certificate. hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org