| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 02/19/2011 12:02 PM, Anthony G. Basile wrote: |
| 5 |
> On 02/15/2011 02:12 PM, Chris Frederick wrote: |
| 6 |
>> Hi everyone, |
| 7 |
>> |
| 8 |
>> I'll chime in on this one. I want to clarify what is being asked, and add my two cents. |
| 9 |
> |
| 10 |
> Okay, I don't think there was a consensus on this issue, so I'm sure to |
| 11 |
> make someone unhappy. I think for now, we'll leave the status quo, ie |
| 12 |
> ipv6 off by default. |
| 13 |
> |
| 14 |
> If it had been a question of whether or not ipv6 would be included in |
| 15 |
> hardened, then the issue would have been obvious. We must have ipv6. |
| 16 |
> But the question was, do we enable or disable it *by default*. Those |
| 17 |
> that wish can always switch it on so nothing is ultimately lost. |
| 18 |
> |
| 19 |
> The question came up because of the latest news about ipv4 address space |
| 20 |
> being depleted, so we know ipv6 is coming. When ipv6 use becomes |
| 21 |
> significant, we'll revisit the issue. |
| 22 |
> |
| 23 |
> (And please don't ask me what significant mean! I'm not even sure myself :) |
| 24 |
> |
| 25 |
|
| 26 |
How about we shoot for World IPv6 Day? [1] Since everyone else will be |
| 27 |
doing their test runs that day I think we should, too. |
| 28 |
|
| 29 |
Additionally, amongst all the shouting of insecurity, the potential for |
| 30 |
the improved security offered by IPv6 has been ignored, such as IPsec. |
| 31 |
[2] The specification for 'link-local' (fe80::/16) pretty much behaves |
| 32 |
in the same manner as 192.168.0.0/16 and 10.0.0.0/8 because of its built |
| 33 |
in Hop Limit restriction and requirement that routers never forward an |
| 34 |
fe80::/16 packet. [3] Additionally, the potential for improved |
| 35 |
performance through jumbograms [4] and PMTU Discovery. [5] Not to |
| 36 |
mention reduced hardware requirements to calculate checksums, which are |
| 37 |
no longer necessary. |
| 38 |
|
| 39 |
As some have pointed out, all that's really required to disable IPv6 |
| 40 |
support is to just not include the IPv6 stack in the kernel. Somebody |
| 41 |
accidentally including it is unlikely for business production, so I |
| 42 |
don't understand the concern there. (And those who aren't so security |
| 43 |
conscious probably aren't running servers anyway.) Additionally, the |
| 44 |
greater percentage of people who have Internet access must still wait |
| 45 |
for the support to come or have to specifically request IPv6 support. |
| 46 |
(My ISP, Verizon, has only now really begun working on offering IPv6 and |
| 47 |
they say it'll take 18 months to implement.) Finally, the primary |
| 48 |
Internet router must support IPv6. There's a lot of intentional setup |
| 49 |
that goes into making IPv6 not only work but be viable on a network. A |
| 50 |
simple flip of a USE flag isn't going to magically turn everything on |
| 51 |
its ear and expose everyone to great risk. |
| 52 |
|
| 53 |
Lastly, let's not forget the fact that a good portion of the stable |
| 54 |
software packages available in the Portage tree, and run by a good |
| 55 |
portion of the Gentoo user base, already incorporate IPv6 support with |
| 56 |
no means other than less than trivial modifications of the source code |
| 57 |
to disable it. (e.g., PostgreSQL, Apache and Firefox) Optional support |
| 58 |
of IPv6 is rapidly disappearing from the tree as it is anyway. We might |
| 59 |
as well expect it to come regardless of our wishes for a different time |
| 60 |
frame. Indeed, it is here already in some of the more important and |
| 61 |
popular packages. |
| 62 |
|
| 63 |
Sincerely, |
| 64 |
Mr. Aaron W. Swenson |
| 65 |
|
| 66 |
[1] http://isoc.org/wp/worldipv6day/ |
| 67 |
[2] http://tools.ietf.org/html/rfc2460 |
| 68 |
[3] http://tools.ietf.org/html/rfc4291#section-2.5.6 |
| 69 |
[4] http://tools.ietf.org/html/rfc2675 |
| 70 |
[5] http://tools.ietf.org/html/rfc1981 |
| 71 |
-----BEGIN PGP SIGNATURE----- |
| 72 |
Version: GnuPG v2.0.16 (GNU/Linux) |
| 73 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 74 |
|
| 75 |
iF4EAREIAAYFAk1hsGUACgkQCOhwUhu5AEmiIgD+Nx1EGin9Xdej0ELMue7Jwqg9 |
| 76 |
H47cjKCGZnbI3dQmmP8A/jEp9q313ESxEk0cuo1WwfkJDoi4h6lbi4aKwpcq8LRx |
| 77 |
=NxgI |
| 78 |
-----END PGP SIGNATURE----- |
Archives