Disabling ipv6

Chris Adams linux at cmadams.net
Fri Jul 12 14:04:36 UTC 2013 

Once upon a time, Tim <ignored_mailbox at yahoo.com.au> said:
> How is your firewall set up?  When you allow something for IPv4, does it
> make a corresponding rule for IPv6, at the same time.  Likewise, for if
> you block something.  And I mean that in two ways, dealing with ports,
> and addresses.  I may decide to block all port 80 traffic, and I'd hope
> my firewall doesn't just put a block on IPv4 traffic, requiring me to
> separately set up another rule for the IPv6.  Or, I may find out that
> I'm seeing unwanted traffic from www.example.com, I'll probably have to
> find out their IPv4 and IPv6 IPs and individually block them.

Except for trying to block things by hostname (which is always a
problem, since DNS changes all the time), yes.  My firewall does all of
that.  As far as I know, the CPE advertising IPv6 support does that.
I'm pretty sure the Windows software firewall does that (don't know
anything about Mac OS X).

Does _every_ firewall that claims IPv4 and IPv6 support do that
correctly?  I don't know, probably not.  But at the same time, does
every firewall that claims IPv4 support handle all of the above
correctly, 100% of the time?  Probably not.  There will always be bugs,
design flaws, etc.

> Then there's address range types.  With IPv4 it's easy enough to have a
> demarcation point between one side of my LAN and the WWW, and set rules
> about it.  IPv6 uses a different technique of addressing/subnetting, and
> in some of my earlier readings of it, doesn't really work in a similar
> way that you can do that kind of demarcation.  There's not that level of
> distinction between LAN and WAN.

Yes, IPv4 and IPv6 addresses are different (that's kind of the point).
The whole idea that somehow RFC1918 space is "magic" (I hear people call
it "unroutable" all the time, which is flat wrong) came in with NAT and
is bad, as anybody who has dealt with enterprise networks (and
especially when companies merge, interconnect, etc.) can tell you.

If you want something similar to RFC1918 space with IPv6, you can use
ULA, but you really shouldn't.

> So there's those basic levels of security, before anybody even worries
> about flaws in IPv6, itself.

I don't see anything here much other than "it is different and different
is bad"; certinaly not any of the supposed "security flaws".
-- 
Chris Adams <linux at cmadams.net>

More information about the users mailing list