IPv6 Default PIAF Setup

For those of you who don't use or need IPv6 (not many of us do on our PBX yet), it's a good idea to turn it off.

With some of the new builds, it's enabled by default.

You're going to want to modify /etc/modprobe.conf and set the following options to turn it off for good:

Code:

alias ipv6 off
options ipv6 disable=1

(FYI, this was a change in CentOS 5.4 - the /etc/sysconfig/network "NETWORKING_IPV6 = no" setting doesn't do the trick anymore)

Why bother? Well, for those of us in the security arena, you don't turn something on unless you need it. And as good of a job as Ward and everyone else who burns their time on this project do, there's always more you can do (and you can't/shouldn't expect them do to everything for you, anyway!)

What can go wrong? Well, for one, if someone were to get onto your network, they could easily setup IPv6 'dhcp' and other services on your network. And the way IPv6 works, it would happily respond, then it would happily tunnel all your IPv4 traffic to the 'bad guy' on your LAN.

Remote chance? Perhaps. But the more you know, the better prepared you are. Be safe out there... you're only a few milliseconds away from every bad guy on the internet...

Hi

On the other hand, rather than just turning it off, we ought to be learning how it works, and how to deploy it in our networks, including how to firewall it, and have Fail2ban / Ossec protect it. Especially as Asterisk 1.8 now support IPv6

Once we have a world of IPV6, then NAT, in my opinion the single most frustrating thing about VoIP, goes away completely. NAT is evil.

It's IPV6 day soon - http://isoc.org/wp/worldipv6day/ this may be a good time to start looking at this in more detail.

Joe

I agree 100% with you in principal. Reality is, however, that IPv6 is a mess.

Yes, it's sorely needed.

But no, it's not ready. Consumer router support is at the fledgling state at the moment, and well all know what that means - big security bugs. You can go and get yourself an IPv6 block (they hand out class A's like they're candy), but try to use it with your run-of-the-mill provider... the vast majority don't even have the support staff trained enough to even know what IPv6 is!

Even Asterisk support is spotty at best.

There is a provision to encapsulate the entire IPv4 space in a small segment of an IPv6 address (which is the root of this problem). To me - right now - the best option is to turn it off. While it's all nice and good to think about what we should be doing, since there's really no way to do it right now, turn it down until the rest of the world is caught up.

Good move

Joe