Comment 44 for bug 176125

Malte S. Stretz (mss) wrote :

I currently only administer a bunch of small/medium networks (up to 50 machines) and frankly I currently reject/disable any IPv6 on those networks (makes my life easier since I don't have the time to check if all devices have proper IPv6 security). But from experiences at previous jobs I pretend to have at least some experience with large(r) networks :)

Anyway, as I see it you've got some classes of problems and at neither I see that disabled Privacy Extensions help much security/logging wise:

* First of all, you've probably got some Windows machines and for those you've got to find a way to ensure that PE are disabled anyway. Any device accessible by these machines has to be protected in a PE-sensitive way.

* Second, as it was pointed out in comment 40, you let students and colleagues with their own machines into your network. You can't enforce anything on those machines and have to shield them from the rest of the network with a (hopefully properly IPv6 capable) firewall anyway.

* The same is true for machines run by other departments. You can't really control what they are doing on their internal networks, if they use PE or not, use DHCP or even static addresses. Only their access to somewhere else and you should have some proper firewalls betweens these networks.

* You talk about oldish devices on your net. Many of these probably do not even support IPv6 properly (plus, *if* they do not require a user login *and* support the logging you require); even if they do and they are that sensitive, put a firewall in front of them (will probably cost less than 10% those machines are/were worth).

That said, if you let people with their own (malicious) machines into your network, relying on security/compliance by logging IP addresses (even MAC addresses FWIW) they can chose as they like, is a folly. Security based on IP addresses was a bad idea with IPv4 and still is with IPv6.

That's why I don't think this whole "enterprise" argument is valid, no matter how big your networks are (well, except for some funny enterprisey parts of ISO27001).

Anyway, I guess best idea would be if some (recognised) IPv6 expert spoke up on this topic.