Actually James, incompetence would be opening up a high security system to additional attack vectors without a good business or technical reason (which you really haven't provided).
On Thu, Jun 29, 2017 at 6:33 PM James Knott via talk <[email protected]> wrote: > I have worked with telecommunications and networks for many years (I > first worked on a computer network in 1978, before there was such a > thing as Ethernet or IPv4) and often see IPv6 in my work. I cannot say > I'm not going to work with it or the customer shouldn't use it. I have > to be prepared to deal with the situation and these days that includes > being competent with IPv6. Also, I wasn't referring to home users when > I was talking about hardening. Much of my work has been in high > security data centres, where there are public web sites, among others, > running in a protected environment. In today's world, working with IPv6 > is part of the job and disabling it, when it is the future, is just > plain incompetence. If you can't protect attacks via IPv6 as you would > via IPv4, you really should be looking for another job. IPv6 is here > now, learn to deal with it, instead of hiding from it. It's not going > away. > > > On 06/29/2017 06:18 PM, Ansar Mohammed wrote: > > Again, please follow the thread, this is not about competency or > > capability on IPv6. > > > > This is a simple question on hardening a Linux system. My entire > > network runs IPv6 also. But my home systems do not need to be hardened. > > > > There have been many IPv6 only bugs and exploits including last years > > IPv6 ping of death on Cisco. > > > https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6 > > > > The stack simply isn't as battle tested as IPv4. > > > > Oh, and that growing portion of the internet that's IPv6 only is > > primarily China. > > > > What's your business reason for the additional risk of IPv6? > > > > Does your application support IPv6? > > > > Has your application been tested with IPv6? > > > > Do you have users that are IPv6 only? > > > > If you don't need it on a hardened system, you are just adding another > > attack vector for no good reason. > > > > > > > > On Thu, Jun 29, 2017 at 5:36 PM James Knott via talk <[email protected] > > <mailto:[email protected]>> wrote: > > > > On 06/29/2017 05:14 PM, Ansar Mohammed wrote: > > > It's not a matter of being afraid of anything. Security 101 > > tells you > > > to reduce your attack surface area. > > > I would not increase my attack surface area just for the sake > > of being > > > an early adopter of IPv6. > > > > > > To be clear the conversation is about hardening. This is the right > > > thing to do. > > > > > > > Then you'll be hardening yourself out of a growing portion of the > > Internet. I use a browser addon called "ShowIP" which displays > > the web > > site IP address. I can see a significant part of the sites I go > > to are > > now IPv6. Also, if you don't know how to set up a firewall on > > IPv6, you > > really can't consider yourself capable of hardening anything. Fore > > example, consider setting up a firewall. On Cisco gear, unless you > > filter on address, you IPv4 and IPv6 rules are identical. On other > > firewalls, such as pfSense, you can do both IPv4 & IPv6 with one > rule. > > You can also have separate rules if needed, your choice. Also, if > > you're not competent with IPv6, you'll never get some certifications > > such as CCNA etc. They require you to know IPv6. > > > > BTW, here's the IPv6 address for gtalug.org <http://gtalug.org>: > > 2600:3c03::f03c:91ff:fe50:ea0a > > --- > > Talk Mailing List > > [email protected] <mailto:[email protected]> > > https://gtalug.org/mailman/listinfo/talk > > > > --- > Talk Mailing List > [email protected] > https://gtalug.org/mailman/listinfo/talk >
--- Talk Mailing List [email protected] https://gtalug.org/mailman/listinfo/talk
