ipv6

[Frank Wiles]

On Fri, 19 Nov 2004 16:09:28 -0600
"Brian Densmore" <DensmoreB at ctbsonline.com> wrote:

> Correct me if I'm wrong, but doesn't ipv6 make it very difficult to
> spoof addresses? Isn't ipv6 more secure than ipv4? I thought there 
> were lots of things you could do with ipv6 that would make it harder
> to break into a box .The reason I was considering ipv6 is I'd like
> to add a layer of protection between the LAN and the firewall box. 
> If someone cracks the firewall, it'd be nice to have a fallback
> measure to prevent the intruder from taking over my other boxes.
> 
> Plus of course the geek factor in having my own ipv6 network. And
> it'd be something else to play with.

  I can agree with the geek factor :) 

  Yes IPv6 does have some tighter security with regard to spoofing
  addresses, but based on how I imagine you're setup it won't help
  you. 

  For example, say you have a box firewall.domain.com that is your
  firewall and two internal boxes secret1.domain.com and
  secret2.domain.com.  Both secret1 and secret2 are probably
  configured to allow certain outside access from the firewall to
  them, probably SSH.  While IPv6 will keep a cracker from faking
  secret2's IP to secret1, there is no need.  He already has control
  of firewall.domain.com and doesn't need to do any spoofing. 

  I would wager you're more likely to have a problem with spoofing
  an address outside your network than within, unless there is something
  specific about your internal setup you haven't shared. 

 ---------------------------------
   Frank Wiles <frank at wiles.org>
   http://www.wiles.org
 ---------------------------------