-----Original Message----- From: Frank Wiles
On Fri, 19 Nov 2004 13:10:02 -0600 "Brian Densmore" [email protected] wrote:
I was wondering, would it be possible to run ipv6 on my local LAN? Could I run a mixed environment? That is to say have ipv6 on the LAN and have ipv6 and ipv4 on the firewall/gateway? Would ipv6 on the LAN provide the ability to further enhance security on my LAN PCs?
There is very little reason, from a security perspective to move to IPv6 on a local LAN.
Correct me if I'm wrong, but doesn't ipv6 make it very difficult to spoof addresses? Isn't ipv6 more secure than ipv4? I thought there were lots of things you could do with ipv6 that would make it harder to break into a box .The reason I was considering ipv6 is I'd like to add a layer of protection between the LAN and the firewall box. If someone cracks the firewall, it'd be nice to have a fallback measure to prevent the intruder from taking over my other boxes.
Plus of course the geek factor in having my own ipv6 network. And it'd be something else to play with.
Brian D.
On Fri, 19 Nov 2004 16:09:28 -0600 "Brian Densmore" [email protected] wrote:
Correct me if I'm wrong, but doesn't ipv6 make it very difficult to spoof addresses? Isn't ipv6 more secure than ipv4? I thought there were lots of things you could do with ipv6 that would make it harder to break into a box .The reason I was considering ipv6 is I'd like to add a layer of protection between the LAN and the firewall box. If someone cracks the firewall, it'd be nice to have a fallback measure to prevent the intruder from taking over my other boxes.
Plus of course the geek factor in having my own ipv6 network. And it'd be something else to play with.
I can agree with the geek factor :)
Yes IPv6 does have some tighter security with regard to spoofing addresses, but based on how I imagine you're setup it won't help you.
For example, say you have a box firewall.domain.com that is your firewall and two internal boxes secret1.domain.com and secret2.domain.com. Both secret1 and secret2 are probably configured to allow certain outside access from the firewall to them, probably SSH. While IPv6 will keep a cracker from faking secret2's IP to secret1, there is no need. He already has control of firewall.domain.com and doesn't need to do any spoofing.
I would wager you're more likely to have a problem with spoofing an address outside your network than within, unless there is something specific about your internal setup you haven't shared.
--------------------------------- Frank Wiles [email protected] http://www.wiles.org ---------------------------------
--- Brian Densmore [email protected] wrote:
-----Original Message----- From: Frank Wiles
There is very little reason, from a security perspective to move to IPv6 on a local LAN.
Plus of course the geek factor in having my own ipv6 network. And it'd be something else to play with.
Oh well, if the geek factor is involved, implement it anyway, regardless of whether or not it improves security. :)
It sure can't hurt security.
__________________________________ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com
-
Brian Densmore -
Frank Wiles -
Leo Mauler