[ale] IPv6 vs IPv4 (was: uptime)
Jim Popovitch
jimpop at gmail.com
Thu Mar 18 07:13:21 EDT 2010
On Wed, Mar 17, 2010 at 22:42, Michael H. Warfield <mhw at wittsend.com> wrote:
> On Wed, 2010-03-17 at 22:03 -0400, Jim Popovitch wrote:
>> Well, that brings up the usual IPv4 vs IPv6 interest :-). So a measure
>> of security comes from IPv4 but not IPv6...yet another reason to delay
>> IPv6 :-)
>
> Fraid not. You don't really have a choice. It's far far more difficult
> and expensive to prevent or obstruct IPv6 than it is to provide it. I
> haven't accessed IPv6 from an aircraft yet (but that would be trivial)
> but I have done a half a dozen cruise ships at sea and from several
> continents (Asia, Europe, South America, and all over the US, Canada,
> Mexico, Central America, and the Carribean). Behind NAT devices and
> behind firewalls. We've found it deep in labs communicating with Teredo
> servers out on the Internet (Windows Vista, Windows 7, and a surprising
> number of Windows XP systems that nobody can explain). I have yet to
> find a place where I could not reach IPv6 if I really wanted it. And
> the bad guys know this. Russia and the Ukraine are #1 and #2 on
> Google's list of v6 deployment. Think about that. In fact, I would
> honestly say, if you have access to DNS then someone has access to IPv6
> from where you are (look up Iodine, DNScat, and OpenVPN and think about
> it). Time for burying your head in the sand was gone a long time ago.
> The important point is that you don't know. You won't know. It doesn't
> ring any big red bells and announce itself. It just works and you are
> none the wiser.
I think you are missing my point ;-)
> You say another reason to "delay" IPv6? And exactly WHAT have you done
> to delay it? If the answer is nothing, you're not even a speed bump.
> If you are not actively checking for it and blocking it, how are you
> delaying it? Even if you are actively trying to detect it, it's now
> common on all modern Linux boxes and Mac books and you can't disable it
> on Vista or Windows 7 (and it's really difficult to disable it on Linux
> by intent and design). At least some of the IPv6 protocols should be
> present on virtually every modern network at this time (globals may not
> be actively routed but RD, and ND should certainly be present and maybe
> even RA). Have been for many many years and here you sit oblivious to
> it all. Delaying it is too late when it's been sitting on your network
> for 5 years or more and you still have no clue.
:-)
-Jim P.
More information about the Ale
mailing list