1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
On 02/19/2011 12:02 PM, Anthony G. Basile wrote: |
5 |
> On 02/15/2011 02:12 PM, Chris Frederick wrote: |
6 |
>> Hi everyone, |
7 |
>> |
8 |
>> I'll chime in on this one. I want to clarify what is being asked, and add my two cents. |
9 |
> |
10 |
> Okay, I don't think there was a consensus on this issue, so I'm sure to |
11 |
> make someone unhappy. I think for now, we'll leave the status quo, ie |
12 |
> ipv6 off by default. |
13 |
> |
14 |
> If it had been a question of whether or not ipv6 would be included in |
15 |
> hardened, then the issue would have been obvious. We must have ipv6. |
16 |
> But the question was, do we enable or disable it *by default*. Those |
17 |
> that wish can always switch it on so nothing is ultimately lost. |
18 |
> |
19 |
> The question came up because of the latest news about ipv4 address space |
20 |
> being depleted, so we know ipv6 is coming. When ipv6 use becomes |
21 |
> significant, we'll revisit the issue. |
22 |
> |
23 |
> (And please don't ask me what significant mean! I'm not even sure myself :) |
24 |
> |
25 |
|
26 |
How about we shoot for World IPv6 Day? [1] Since everyone else will be |
27 |
doing their test runs that day I think we should, too. |
28 |
|
29 |
Additionally, amongst all the shouting of insecurity, the potential for |
30 |
the improved security offered by IPv6 has been ignored, such as IPsec. |
31 |
[2] The specification for 'link-local' (fe80::/16) pretty much behaves |
32 |
in the same manner as 192.168.0.0/16 and 10.0.0.0/8 because of its built |
33 |
in Hop Limit restriction and requirement that routers never forward an |
34 |
fe80::/16 packet. [3] Additionally, the potential for improved |
35 |
performance through jumbograms [4] and PMTU Discovery. [5] Not to |
36 |
mention reduced hardware requirements to calculate checksums, which are |
37 |
no longer necessary. |
38 |
|
39 |
As some have pointed out, all that's really required to disable IPv6 |
40 |
support is to just not include the IPv6 stack in the kernel. Somebody |
41 |
accidentally including it is unlikely for business production, so I |
42 |
don't understand the concern there. (And those who aren't so security |
43 |
conscious probably aren't running servers anyway.) Additionally, the |
44 |
greater percentage of people who have Internet access must still wait |
45 |
for the support to come or have to specifically request IPv6 support. |
46 |
(My ISP, Verizon, has only now really begun working on offering IPv6 and |
47 |
they say it'll take 18 months to implement.) Finally, the primary |
48 |
Internet router must support IPv6. There's a lot of intentional setup |
49 |
that goes into making IPv6 not only work but be viable on a network. A |
50 |
simple flip of a USE flag isn't going to magically turn everything on |
51 |
its ear and expose everyone to great risk. |
52 |
|
53 |
Lastly, let's not forget the fact that a good portion of the stable |
54 |
software packages available in the Portage tree, and run by a good |
55 |
portion of the Gentoo user base, already incorporate IPv6 support with |
56 |
no means other than less than trivial modifications of the source code |
57 |
to disable it. (e.g., PostgreSQL, Apache and Firefox) Optional support |
58 |
of IPv6 is rapidly disappearing from the tree as it is anyway. We might |
59 |
as well expect it to come regardless of our wishes for a different time |
60 |
frame. Indeed, it is here already in some of the more important and |
61 |
popular packages. |
62 |
|
63 |
Sincerely, |
64 |
Mr. Aaron W. Swenson |
65 |
|
66 |
[1] http://isoc.org/wp/worldipv6day/ |
67 |
[2] http://tools.ietf.org/html/rfc2460 |
68 |
[3] http://tools.ietf.org/html/rfc4291#section-2.5.6 |
69 |
[4] http://tools.ietf.org/html/rfc2675 |
70 |
[5] http://tools.ietf.org/html/rfc1981 |
71 |
-----BEGIN PGP SIGNATURE----- |
72 |
Version: GnuPG v2.0.16 (GNU/Linux) |
73 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
74 |
|
75 |
iF4EAREIAAYFAk1hsGUACgkQCOhwUhu5AEmiIgD+Nx1EGin9Xdej0ELMue7Jwqg9 |
76 |
H47cjKCGZnbI3dQmmP8A/jEp9q313ESxEk0cuo1WwfkJDoi4h6lbi4aKwpcq8LRx |
77 |
=NxgI |
78 |
-----END PGP SIGNATURE----- |