Ipv6 for the content provider

Mon Jan 31 17:38:55 UTC 2011

-------- Original Message  --------
Subject: Re: Ipv6 for the content provider
From: Valdis.Kletnieks at vt.edu
To: Charles N Wyble <charles at knownelement.com>
Cc: nanog at nanog.org
Date: Wednesday, January 26, 2011 4:09:07 PM
> On Wed, 26 Jan 2011 13:56:05 PST, Charles N Wyble said:
>
>>> The only issue I've faced is RHEL/CentOS doesn't have stateful connection
>>> tracking for IPv6 - so ip6tables is practically worthless.
>>
>> Hmmmm. Interesting. I wonder if this is specific to the RedHat kernel?
>> Or a problem with v6 support on Linux in general?
> (Linux kernels are trying to stick to a release-every-3-months schedule).
>
> RHEL/CentOS 5 is using a 2.6.18 kernel.  The needed support for stateful IPv6
> landed in 2.6.21 or so (so almost a year after RHEL 5 did its feature freeze).
> RHEL 6 is apparently a 2.6.32 kernel so it should be there. Cutting edge kernel
> is currently 2.6.38-rc2.
>
>

I was under the impression that the later versions of 5 (e.g. 5.5, 5.6)
had backported stateful connection tracking. Has anyone tested recently?

We mainly use IPtables on end-servers to limit access to a few key
applications (like SSH) to trusted subnets, the rest of the applications
(SMTP, IMAP, HTTP, etc) are initiated from outside sources so there's no
state to being with. In these setups stateful tracking is not a must,
but I would still like to have it in case a rogue listener/service is
started.

We have many RH5 servers deployed, and moving to 6 for this feature
alone seems a little much. What I would really like to see is better DoS
protection in the form of tracking total number of connections (per host
and per application) and new connection rate limits (per host and
globally to an application). The last time I tested these features via
the optional module, the module was not configurable to the scale we
needed nor was it reliable at smaller scales. Perhaps I will test both
of these again in RH5 and report back.