| 1 |
On 02/11/2011 03:32 AM, Darknight wrote: |
| 2 |
> 2011-02-10 21:03:01 Michael Orlitzky |
| 3 |
>> On 02/09/11 22:09, Anthony G. Basile wrote: |
| 4 |
>>> Hi everyone, |
| 5 |
>>> |
| 6 |
>>> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its |
| 7 |
>>> profiles. To be honest, I see no good reason. I want to add it back. |
| 8 |
>>> Before I do, does anyone in the community know of any issues with |
| 9 |
>>> hardened + ipv6? I don't know of any and all my servers have it |
| 10 |
>>> enables. So, I'm going to add it back in about 1 week. |
| 11 |
>> |
| 12 |
>> I don't think there are any issues with it. The only argument I know of |
| 13 |
>> is that it increases the attack surface for a feature that 0% + epsilon |
| 14 |
>> of people use. |
| 15 |
> |
| 16 |
> Tests done by a colleague show that, right now, the amount of inbound ipv6 |
| 17 |
> traffic on his systems is none but I can perfectly understand your concerns |
| 18 |
> even if they should apply only to the network stack itself, as the daemons |
| 19 |
> listening to v6 should be the same that listen to v4, once configured for dual |
| 20 |
> stack. |
| 21 |
> |
| 22 |
> Anyway, ipv6 has a chance to become relevant by the end of the year as China |
| 23 |
> and India (among others) won't have quite enough v4 addresses in stock to |
| 24 |
> support the growth of their networks. |
| 25 |
|
| 26 |
This is precisely the point. While on the one hand, it has little |
| 27 |
current use and does potentially increase attack vectors, on the other |
| 28 |
hand, ipv4 is depleted and ipv6 is on the horizon. |
| 29 |
|
| 30 |
I looked at gentoo bugs for ipv6 and didn't find anything serious. I'm |
| 31 |
still leaning towards unmasking it. |
| 32 |
|
| 33 |
-- |
| 34 |
Anthony G. Basile, Ph.D. |
| 35 |
Gentoo Developer |
Archives