On Thu, Aug 27, 2009 at 01:07:49PM +0200, Stefan Schlesinger wrote:
On Aug 17, 2009, at 19:43 , Mike McGrath wrote:
>On Mon, 17 Aug 2009, Jeff Garzik wrote:
>
>>On 08/17/2009 10:01 AM, Mike McGrath wrote:
>>>On Mon, 17 Aug 2009, Jeff Garzik wrote:
>>>>Is there any IPv6 plan for *.fedoraproject.org ?
>>>There is currently no plan.
>>What needs to be done to create a plan, and move forward?
>Someone with a clear idea of the benefits, costs, and a plan for
>implementation.
Besides the fact that we have to expect no more free IPv4 adresses
available after 2012 and will then be forced to start working on it, the
greatest benefit would be to start getting experience on the whole new
IPv6 stack.
As long as our uplink providers already support v6, the costs to enable
services within the new address space should be minimal. Providers
usually just charge a setup fee and are actually not allowed to charge
more than that...
I have already some experience with ipv6 from my workplace. The rough
plan for the transition made so far was:
* Enable v6 auto-configuration for all of our server vlans. Thus, all
of our machines had v6 connectivity to the outside, and where able
to use already existing v6 services.
To work around any security bugs which this change could introduce,
we configured stateful filtering on the routers, allowing only
established connections from the outside to our machines.
We don't have control over the routers in most of our data centers.
RHEL5's ip6tables can't do stateful filtering either (no conntrack).
I agree stateful would be nice, but is it strictly necessary? I don't
believe so.
--
Matt Domsch
Technology Strategist, Dell Office of the CTO
linux.dell.com &
www.dell.com/linux