Mailinglist Archive: opensuse (1599 mails)

< Previous Next >
Re: [opensuse] Practicalities of IPv6
On Sun, 2009-10-25 at 17:41 +0100, Per Jessen wrote:
Hans Witvliet wrote:

On Sun, 2009-10-25 at 14:23 +0100, Per Jessen wrote:
Is that a _real_ issue to worry about, Hans? If a customer is
IPv4-only, and his provider decides to offer IPv6 too without telling
the customer, I don't see that changing anything for the customer.
[snip]
I think so.
Systems can have their dhcp-set-up in different ways: IPV4-ONLY,
IPV6-ONLY and both IPv4 AND IPv6.
As long as your provider only hands out v4 addresses, all works well,
and the client just keeps on polling for ever.
But as soon as your ISP "sees the light" and gives you both an v4 AND
and v6 address, and your v6 rule-set is "accept anyone from anywhere"
you might (!) end up in shit-creek. <<<<<< find your system
compromised. Unless you have your ip6tables rule set changed to
default drop-anything, which implies that one has started to think/do
something with IPv6, which was the main issue i made.
I was considering that most consumer/commodity ADSL boxes do not yet
support IPV6, so the provider can advertise IPV6 as much as he wants,
it won't cause a problem. That was what happened on my system.

Ok, but most organizations of any size are probably not connected to the
Internet via a commodity ADSL router. Every single organization I visit
has either a Cisco or 3com device.

But leaking through a traditional firewall sandwich would be hard; from
a security perspective I'm far more concerned about avoiding a
crunchy-on-the-outside-chewy-on-the-inside situation [which is what an
over-reliance on perimeter defenses results in]. If you don't deal with
IPv6 you can easily end up running a parallel essentially stealth
network inside your organization.

Anyway, what are the default SuSEfirewall settings for IPv6?

Glancing at my laptop it looks like it drops everything but ICMP; but I
haven't looked at a truly fresh install to see if that is the same.


--
openSUSE <http://www.opensuse.org/en/>
Linux for human beings who need to get things done.

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >