1 |
On 02/15/2011 10:52 AM, Alex Efros wrote: |
2 |
> Hi! |
3 |
> |
4 |
> Quick Google and CVE searches shows there was many enough vulnerabilities |
5 |
> in all OSes (including Linux) IPv6 stack implementations. And, as we all |
6 |
> know, most of vulnerabilities will be found only after product become |
7 |
> popular and wide used, which doesn't happens to IPv6 yet. |
8 |
> |
9 |
> Keeping this in mind, I think it have sense to avoid enabling IPv6 by |
10 |
> default on hardened until IPv6 will be wide used/tested/hacked on |
11 |
> non-hardened systems for some time or until it become critical feature |
12 |
> required for normal operation on most servers. |
13 |
> |
14 |
> This logic is same as for separating ~x86 and x86 profiles - hardened |
15 |
> profile shouldn't be used to test (for now) useless and potentially |
16 |
> vulnerable features. |
17 |
> |
18 |
> |
19 |
> P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on |
20 |
> secure server also mean doubling nearly all network configuration, |
21 |
> including firewall setup. And while it's well-known how to securely setup |
22 |
> network for IPv4, it still doesn't clear how to do same for IPv6 - both |
23 |
> because IPv6 is much more complex and feature-rich, and because there not |
24 |
> much information/howto available for IPv6 right now. So, I think it have |
25 |
> sense to prepare some documentation about IPv6-related configuration on |
26 |
> gentoo site and notify users with `eselect news` mechanism about it before |
27 |
> enabling default "ipv6" USE-flag in any profile. |
28 |
> |
29 |
|
30 |
I tend to agree; it's not like ipv6 is disabled, it's just off by |
31 |
default. My biggest concern however is for the people who run apache, |
32 |
postfix, dovecot, etc. with the equivalent of, |
33 |
|
34 |
listen = * |
35 |
|
36 |
who will suddenly be listening on ipv6 addresses (and possibly not know |
37 |
it) after a recompile. Are all these ipv6-listening services secure? Who |
38 |
knows, because no one's using them. |
39 |
|
40 |
The default unconfigured state is probably safe from the network, but I |
41 |
wouldn't be able to say for sure unless I spent a couple of weeks |
42 |
bringing myself up to speed on ipv6. |