IPv6 for Fedora services?

[Matt Domsch]

On Thu, Aug 27, 2009 at 01:07:49PM +0200, Stefan Schlesinger wrote:
> On Aug 17, 2009, at 19:43 , Mike McGrath wrote:
> 
> >On Mon, 17 Aug 2009, Jeff Garzik wrote:
> >
> >>On 08/17/2009 10:01 AM, Mike McGrath wrote:
> >>>On Mon, 17 Aug 2009, Jeff Garzik wrote:
> >>>>Is there any IPv6 plan for *.fedoraproject.org ?
> >>>There is currently no plan.
> >>What needs to be done to create a plan, and move forward?
> >Someone with a clear idea of the benefits, costs, and a plan for
> >implementation.
> 
> Besides the fact that we have to expect no more free IPv4 adresses
> available after 2012 and will then be forced to start working on it, the
> greatest benefit would be to start getting experience on the whole new
> IPv6 stack.
> 
> As long as our uplink providers already support v6, the costs to enable
> services within the new address space should be minimal. Providers
> usually just charge a setup fee and are actually not allowed to charge
> more than that...
> 
> I have already some experience with ipv6 from my workplace. The rough
> plan for the transition made so far was:
> 
> * Enable v6 auto-configuration for all of our server vlans. Thus, all
>   of our machines had v6 connectivity to the outside, and where able
>   to use already existing v6 services.
> 
>   To work around any security bugs which this change could introduce,
>   we configured stateful filtering on the routers, allowing only
>   established connections from the outside to our machines.

We don't have control over the routers in most of our data centers.
RHEL5's ip6tables can't do stateful filtering either (no conntrack).
I agree stateful would be nice, but is it strictly necessary?  I don't
believe so.

-- 
Matt Domsch
Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux