Disabling ipv6

Fernando Lozano fernando at lozano.eti.br
Fri Jul 12 14:17:45 UTC 2013

>> You keep talking about IPv6 security risks (over IPv4), but haven't
>> cited any.
> While I don't know of security risks of IPv6, itself, there is this:
If you follow IPv6 on the net you should have found lots of articles 
about this, and how it affects specially home users and SMBs. Here are 
some introductory links:


Most vendors and ISPs won't talk about his -- IPv6 is a selling point -- 
but here's buried inside an AT&T white paper:


"According to the National Institute of Standards and Technology (NIST):
Prevention of unauthorized access to IPv6 networks will likely be
more difficult in the early years of IPv6 deployments. IPv6 adds more
components to be filtered than IPv4, such as extension headers,
multicast addressing, and increased use of ICMP. These extended
capabilities of IPv6, as well as the possibility of an IPv6 host
having a number of global IPv6 addresses, potentially provides an
environment that will make network-level access easier for attackers
due to improper deployment of IPv6 access controls. Moreover,
security related tools and accepted best practices have been slow
to accommodate IPv6. Either these items do not exist or have not
been stress tested in an IPv6 environment"

For more techinical content, you can visit


which is Fernando Gont home page (author of some IETF RFCs), and see 
theslides at


> How is your firewall set up?
That's not the question. I am an experienced sysadmin and networking 
expert, I know where to search for information and what to look for. But 
today most computer users, not just Fedora users, do not have this 
expertise and won't spend enough time researching. They expect to get 
minimally secure default from vendors and open source projects. 
something most DO NOT provide currenty, regarding IPv6. :-(

The fact is: today, even most experienced network admins do not know 
enough about IPv6 security. Most ones I talked to still believe "IPv6 is 
more secure by design" which it isn't.

[]s, Fernando Lozano

More information about the users mailing list