-----Original Message----- From: Frank Wiles
On Fri, 19 Nov 2004 16:09:28 -0600 "Brian Densmore" [email protected] wrote:
I can agree with the geek factor :)
Yes IPv6 does have some tighter security with regard to spoofing addresses, but based on how I imagine you're setup it won't help you.
For example, say you have a box firewall.domain.com that is your firewall and two internal boxes secret1.domain.com and secret2.domain.com. Both secret1 and secret2 are probably configured to allow certain outside access from the firewall to them, probably SSH. While IPv6 will keep a cracker from faking secret2's IP to secret1, there is no need. He already has control of firewall.domain.com and doesn't need to do any spoofing.
Well actually, I took that into account and disallow ssh from the firewall. So neither box is accessible once I connect to the firewall. So while I can ssh from secret1 to secret2 and then from secret2 to firewall, firewall can't connect to either secret1 or secret2. This makes for the minor inconvenience of not being able to pull files from my LAN from work, it provides a little piece of mind. On that track, I'd also like to deny firewall access to the local intranet. Now I'm not sure that is possible since the firewall is also the gateway and passes traffic out over the same ports I want to prevent the firewall user from accessing on the intranet.
If all else is pointless then I'll have to just do it for geek points. ;')
Brian
On Fri, 19 Nov 2004 16:33:15 -0600, Brian Densmore [email protected] wrote:
If all else is pointless then I'll have to just do it for geek points. ;')
I believe the TINC VPN system can route ip6 packets, so you can spread your private ip6 network where you like.
-
Brian Densmore -
David Nicol