Re: Test Debian : IPv6 pitfalls ?

To: debian-devel@lists.debian.org
Subject: Re: Test Debian : IPv6 pitfalls ?
From: Klaus Ethgen <Klaus@Ethgen.de>
Date: Mon, 6 Oct 2008 09:56:25 +0100
Message-id: <[🔎] 20081006085625.GC12913@ikki.ethgen.de>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 1223277717.6375.129.camel@solid.paris.klabs.be>
References: <[🔎] 1223217510.6375.36.camel@solid.paris.klabs.be> <[🔎] 1223231118.3965.1.camel@hidalgo> <[🔎] 1223277717.6375.129.camel@solid.paris.klabs.be>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am Mo den  6. Okt 2008 um  8:21 schrieb Franklin PIAT:
> > It's something you may not have power on (if your netadmin or ISP
> > decides to enable IPv6, it's their choice, not yours. You can
> > *disable* it but, it's enabled by default anyway (thanksfully))
> 
> I my mind "enabling IPv6" include ISP and router reconfiguration.
> 
> So the "risk" questions are :
> - Can a service become unavailable because of IPv6 ? (including
>   side-effects, or remote sites that have broken IPv6 configuration,
>   causing unavailability).
> - How long and how difficult is to recover the situation ?
> - Network security (no NAT, so inner systems are exposed by default)

In the past I find it on many systems that the user (admin(?)) did has a
proper ipv4 iptables set with strict settings but enabled ipv6 (cause
the distribution comes with enabled ipv6) which is world open. All
services per default are listening on ipv6 too.

Sure that is a incompetent admin. But keep in mind that most of them are
that incompetent. (Sorry telling it that clear.)

So it IS a security problem having ipv6 enabled by default. And it is a
big security issue!

But also if you are aware of the ipv6 problem it takes time to disable
it. I think that the persons who really want to use ipv6 are (and
should) be competent enough to enable and configure it propper.

> The second point is especially true for people that do simple web/mail
> hosting. Messing-up DNS can take time to recover.

Yes. And there are still applications which cannot handle the wide IPs
from ipv6.

> Anybody aware of bad end-user IPv6 experience ?

There are many!! In fact I only know one person who know enough about
ipv6 and the pitfalls to use it.

> Anybody feels like improving IPv6 wiki page[1] to explain those pitfalls
> (if any) ?

Better explain the points which are no pitfalls. This list might be
smaller. :-)

Regards
   Klaus Ethgen
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSOnSuZ+OKpjRpO3lAQJLOwf/Uuhc6Ju9W0+/qZXZtffZ0t/WcUUHhth1
PjFVrQXvf6OfgK3rOEzo3iQ7GkGk3JakFm0CqMafc+assPcJ9G0tFBjzt5i+zMoK
RUt00qM9qlseAiTfORnvxnCW+n8D3L5dzlt3xaMzW0+FT4hox7k2HxLyqAwFX25S
Nf84WdBVb2K4Z249uSna7MCxYMELWY4RH2wYrkvAQzSIKiBuosBYZNmZQo5O9mdN
urR22i4XQOdADdbc1ADAJX7mpbnCz4R0qoNR4zlTkd+Xy1FIA/t96yDA1N9rypGE
SVagsDkf5G1LoGBxugZQti2wyK/TD3tWVNEBi1PdzT4NFr7P7XmcdQ==
=UMnL
-----END PGP SIGNATURE-----

Reply to:

References:
- Test Debian : Release Goals, Point release, Foo-n-Half...
  - From: Franklin PIAT <fpiat@klabs.be>
- Re: Test Debian : Release Goals, Point release, Foo-n-Half...
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: Test Debian : IPv6 pitfalls ?
  - From: Franklin PIAT <fpiat@klabs.be>

Prev by Date: Re: Xen status in lenny?
Next by Date: Re: Bug#501190: ITP: moonlight -- open source implementation of Microsoft Silverlight
Previous by thread: Re: Test Debian : IPv6 pitfalls ?
Next by thread: Re: Upcoming changes to supported architectures
Index(es):
- Date
- Thread