I can also verify that I used ipv6 to get the cert with he.net (with them as the tunnel broker) for whatever that's worth.
-- Matthew Thode On Tue, Feb 15, 2011 at 07:17, Tom Hendrikx <t...@whyscream.net> wrote: > On 15/02/11 12:53, Ed W wrote: > > > >>> Tests done by a colleague show that, right now, the amount of inbound > >>> ipv6 > >>> traffic on his systems is none but I can perfectly understand your > >>> concerns > >>> even if they should apply only to the network stack itself, as the > >>> daemons > >>> listening to v6 should be the same that listen to v4, once configured > >>> for dual > >>> stack. > >>> > >>> Anyway, ipv6 has a chance to become relevant by the end of the year > >>> as China > >>> and India (among others) won't have quite enough v4 addresses in > >>> stock to > >>> support the growth of their networks. > >> This is precisely the point. While on the one hand, it has little > >> current use and does potentially increase attack vectors, on the other > >> hand, ipv4 is depleted and ipv6 is on the horizon. > >> > >> I looked at gentoo bugs for ipv6 and didn't find anything serious. I'm > >> still leaning towards unmasking it. > >> > > > > It's the whole catch 22 that there isn't any traffic because it's not > > deployed and not deployed because there is no one to talk to... > > > > I think we all have to transition to ipv6 quite quickly so the only > > sensible option is to bite the bullet and enable it. I have it enabled > > on all my hardened servers... > > > > I would have thought the sensible rollout strategy for organisations is > > to start gently with internal only deployments to get experience and > > gradually incorporate the rest of the internet as it becomes more > > common. Hopefully in this way most problems will be limited to internal > > only at first... > > > > I am running 2 boxen with hardened gentoo with ipv6 enabled (one native, > one through a tunnel broker). I've seen no issues with ipv6 during > deployment or while running services. > > A third box is ipv4 only, but was expected to get ipv6 connectivity > quite soon after deploymenty. I disabled ipv6 USE flag and recompiled > all affected packages some time after delpoyment. The only reason to do > this was that logs were 'flooded' because applications tried to load the > net-pf-10 kernel module. There probably is a more elegant way to fix > that minor issue. I did not test a setup where the ipv6 kernel stuff is > enabled/loaded when connectivity is not available (other than in > localhost). > > -- > Tom > >
