We're preparing to deploy IPv6 on our network. I'm trying to properly secure my CentOS servers. Up till now I successfully managed to disable dynamically assigned IPv6 addresses. I'd like to disable link-local address (fe80::.../64) from the interface since and keep only the global one. My google-fu failed me miserably. The obvious workaround would be to drop all traffic (except ICMPv6) with ip6tables but I'd rather have the OS not listen on that address. Or the sweetmotherofgodugly option - hack the /etc/init.d/network script do disable link-local address after every 'service network restart'.
DAE anybody have any experience with securing IPv6 enabled boxen? Or am I maybe barking at the wrong tree?
[link] [4 comments]