Here is a very interesting article regarding security issues with IPv6. http://www.networkworld.com/news/2009/071309-ipv6-network-threat.html
I would really like to hear from those who have some IPv6 insight on this.
I read this article today in my print copy of NW. My first thought after reading it was, "Did no one think about this before now?"
Good eye Jared. Hope to see more discussion on this.
There seems to be a lot of IPv6 scare stuff going around recently. I've run it on my home network since mid-2007 using a free tunnel from Hurricane Electric. It has worked great. Just realize that an IPv6 subnet does not hide behind a NAT
Having IPv6-enabled hosts on a network is not a big deal. Those hosts get automatic IPv6 link local addresses (fe80:....). Those are unroutable by definition. Your routers, firewalls, and ISP connection won't magically start routing IPv6. So you have an additional non-routed protocol running on your network. Some of these writers are suggesting that provides a pathway for spyware or "hidden" traffic within your LAN. But it's no different than running a different non-routed protocol like IPX or AppleTalk.
One of these articles suggested that a rogue host could provide an IPv6 tunnel and send out router advertisements, causing the IPv6-enabled hosts generate automatic IPv6 addresses and route traffic through that host. That's a concern, but if unknown tunnelling protocols are being allowed out the firewall, then you have a more fundamental problem to address first. An attacker could probably pull off something very similar on IPv4 using an IPsec tunnel and spoofed DHCP.
This is a nice article. I was speaking with a friend of mine about this over lunch yesterday, and while I definitely think it brings up some interesting concerns about the protocol, I don't think it will raise many eyebrows in the U.S. since most IPv6 is being tunneled anyway. This might catch more people overseas by surprise. I know for a fact that my cable provider does not support DOCSIS 3.0 and there is no talk about it being implemented in the ner future.
One thing I have learned early on in networking is that nothing is perfect and the same holds true with IPv6 and other protocols that will interoperate with it.
The driving force behind DOCSIS 3.0 seems to be the channel bonding (more bandwidth). We will probably only see it in markets where the cable company is competing with fiber to the home. At least for a while. I'm not expecting it anytime soon in my local market
I thought the same as you... if you are not running dual stack then is it really that big a deal? Until the tunneling issue came up, it was not much of a concern to me. Now you make a very good point as far as allowing tunneling protocols outside your firewall.... I mean really, even SSH and SSL could be viewed as tunnels that can be used for malicious purposes.
But, I do like the idea that if you don't use it, turn it off. Why have IPv6 flooding the network with extra traffic that does not have a productive purpose?
Time to open this discussion up again...
Did anyone watch the CCNP TV cast about IPv6? https://learningnetwork.cisco.com/docs/DOC-5264
It was mentioned that workstations running both stacks could be used as an end point of a tunnel.... I am trying to understand how or why that would be a big deal if the gateway is not running dual stack.
Any takers out there?
Can you try posting this question in the CCNP R&S study group? Keith is the group leader and he did the IPv6 presentation, so maybe he would have something about this.
The only thing I can come up with is that you have two host running IPv6 and you wanted to configure an ISATAP tunnel between them.