CentOS - Jul 2015 - Fedora change that will probably affect RHEL

On 07/28/2015 01:46 PM, Chris Murphy wrote:
> Future concern is IPv6 stuff, now that Xfinity has forcibly changed
> their hardware to include full IPv6 support. I have no idea if this is
> NAT'd or rolling IPs or what.
All of the routers I've seen merely firewall inbound traffic, allowing 
none.  There's no need for NAT or rolling IPs.

On Tue, Jul 28, 2015 at 3:04 PM, Gordon Messmer
<gordon.messmer at gmail.com> wrote:
> On 07/28/2015 01:46 PM, Chris Murphy wrote:
>>
>> Future concern is IPv6 stuff, now that Xfinity has forcibly changed
>> their hardware to include full IPv6 support. I have no idea if this is
>> NAT'd or rolling IPs or what.
>
>
> All of the routers I've seen merely firewall inbound traffic, allowing
none.
> There's no need for NAT or rolling IPs.
The whole idea of IPv6 is that, with proper authentication and
encryption, we can access any device anywhere. So firewalling
everything centrally would appear to break that.

-- 
Chris Murphy

On 07/28/2015 02:08 PM, Chris Murphy wrote:
> The whole idea of IPv6 is that, with proper authentication and 
> encryption, we can access any device anywhere. So firewalling 
> everything centrally would appear to break that. 
I think you're assuming that IPv6 carries with it a policy, when it is 
merely the mechanism.

In IPv6, everything should have a unique, routeable address. Whether you 
can reach an address will be subject to local policy in the future, just 
as it is now.  And just as you cannot currently reach a device in a 
Comcast/Xfinity residential network under IPv4, you can't under the 
default IPv6 rules either.  I would call that the principle of least 
surprise.

You can open inbound IPv6 traffic for specific hosts on the routers I've 
seen.