On Fri, 19 Nov 2004 16:09:28 -0600 "Brian Densmore" [email protected] wrote:
Correct me if I'm wrong, but doesn't ipv6 make it very difficult to spoof addresses? Isn't ipv6 more secure than ipv4? I thought there were lots of things you could do with ipv6 that would make it harder to break into a box .The reason I was considering ipv6 is I'd like to add a layer of protection between the LAN and the firewall box. If someone cracks the firewall, it'd be nice to have a fallback measure to prevent the intruder from taking over my other boxes.
Plus of course the geek factor in having my own ipv6 network. And it'd be something else to play with.
I can agree with the geek factor :)
Yes IPv6 does have some tighter security with regard to spoofing addresses, but based on how I imagine you're setup it won't help you.
For example, say you have a box firewall.domain.com that is your firewall and two internal boxes secret1.domain.com and secret2.domain.com. Both secret1 and secret2 are probably configured to allow certain outside access from the firewall to them, probably SSH. While IPv6 will keep a cracker from faking secret2's IP to secret1, there is no need. He already has control of firewall.domain.com and doesn't need to do any spoofing.
I would wager you're more likely to have a problem with spoofing an address outside your network than within, unless there is something specific about your internal setup you haven't shared.
--------------------------------- Frank Wiles [email protected] http://www.wiles.org ---------------------------------