1 |
Hi! |
2 |
|
3 |
On Fri, Feb 11, 2011 at 06:10:52PM -0500, Anthony G. Basile wrote: |
4 |
> >> I don't think there are any issues with it. The only argument I know of |
5 |
> >> is that it increases the attack surface for a feature that 0% + epsilon |
6 |
> >> of people use. |
7 |
> > Tests done by a colleague show that, right now, the amount of inbound ipv6 |
8 |
> > traffic on his systems is none but I can perfectly understand your concerns |
9 |
> > even if they should apply only to the network stack itself, as the daemons |
10 |
> This is precisely the point. While on the one hand, it has little |
11 |
> current use and does potentially increase attack vectors, on the other |
12 |
> hand, ipv4 is depleted and ipv6 is on the horizon. |
13 |
|
14 |
Quick Google and CVE searches shows there was many enough vulnerabilities |
15 |
in all OSes (including Linux) IPv6 stack implementations. And, as we all |
16 |
know, most of vulnerabilities will be found only after product become |
17 |
popular and wide used, which doesn't happens to IPv6 yet. |
18 |
|
19 |
Keeping this in mind, I think it have sense to avoid enabling IPv6 by |
20 |
default on hardened until IPv6 will be wide used/tested/hacked on |
21 |
non-hardened systems for some time or until it become critical feature |
22 |
required for normal operation on most servers. |
23 |
|
24 |
This logic is same as for separating ~x86 and x86 profiles - hardened |
25 |
profile shouldn't be used to test (for now) useless and potentially |
26 |
vulnerable features. |
27 |
|
28 |
|
29 |
P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on |
30 |
secure server also mean doubling nearly all network configuration, |
31 |
including firewall setup. And while it's well-known how to securely setup |
32 |
network for IPv4, it still doesn't clear how to do same for IPv6 - both |
33 |
because IPv6 is much more complex and feature-rich, and because there not |
34 |
much information/howto available for IPv6 right now. So, I think it have |
35 |
sense to prepare some documentation about IPv6-related configuration on |
36 |
gentoo site and notify users with `eselect news` mechanism about it before |
37 |
enabling default "ipv6" USE-flag in any profile. |
38 |
|
39 |
-- |
40 |
WBR, Alex. |