Wouter Van Hemel wrote: > Normally, hosts don't accept ip packets to their ports that are not send > to one of the ip's assigned to their interfaces. If you make sure the > router doesn't somehow send ipv6 packets through the NAT (I don't think > that's possible already, ipv6 through NAT...), then ipv6 addresses stay > ipv6 addresses, and hosts that do not support ipv6 addresses on your > internal network can't receive these packages.
I wonder how that NAT would work. How would you ever be able to reach an IPv4-only host with an IPv6-only host? The IPv6-NAT-router could map services to an IPv4-net-host and use his adress as destination, but I wonder if this is yet possible? > The hosts that DO have an ipv6 address, are vulnerable to potential > exploits. Make sure that daemons only run on ipv4 addresses, i.e. don't > allow them to bind to all ips on all interfaces, like most of them do; > otherwise, those daemons _can_ be reached with the globally routable ipv6 > address, and exploited. Suppose there are some hosts with IPv6-adresses but not configured, than the only way to reach them is by link-localadressing? On the interface to the IPv4-net there's no router advertisment daemon. btw, how can I know if there are some IPv6-enabled hosts on a network? Is there some kind of broadcast ping? > But, IMHO (I'm not really that big a security-expert), if you make sure no > ipv4 machines support ipv6 connections (be careful with default kernels > that might come with ipv6 support...), you are reasonably safe. > > And take care of having all daemons safe against buffer overflows and test > cgi's and the whole blurb - you know that undoubtedly - ipv6 isn't a > security issue in itself, ofcourse. > I'll put an IPv6-firewall some day, when I'm not loaded with other projects :p Kind regards, Kristof --------------------------------------------------------------------- The IPv6 Users Mailing List Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]
