[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
torh-ipv6hackers at bogus.net
Mon Sep 3 13:27:17 CEST 2012
Looks like I failed to set my To:, so my previous attempt at posting may
have been been caught by the list's filter. This is therefore a slightly
modified edition of that post. I feel it's important enough to warrant a
comment, as there has been numerous posts here on countermeasures on the LAN
side (DHCP Guard, RA Guard).
Pardon me if the thread has covered this by now, but deploying IPv6
involves more than securing the clients from each other, although
certainly it is a nice (and necessary) feature to have (if it works).
Network monitoring (using NetFlow) is a personal bugbear for me. Where
support exists for IPv4, some vendors' models that purportedly are "fully
dual stack" may (often) lack NetFlow support for IPv6; this is especially
true for LAN equipment.
So, by enabling IPv6 one could possibly lose IPv6 visibility in ones network
unless either the switch (or supervisor module) was upgraded (or additional
flow generating equipment is installed); enabling v6 therefore becomes a
slightly more expensive option than perhaps originally thought.
(Experience has thus far told us that answers to questions about whether or
not equipment has "dual stack support" often are incomplete.)
Just my 2c.
More information about the Ipv6hackers