1 |
On 02/11/2011 03:32 AM, Darknight wrote: |
2 |
> 2011-02-10 21:03:01 Michael Orlitzky |
3 |
>> On 02/09/11 22:09, Anthony G. Basile wrote: |
4 |
>>> Hi everyone, |
5 |
>>> |
6 |
>>> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its |
7 |
>>> profiles. To be honest, I see no good reason. I want to add it back. |
8 |
>>> Before I do, does anyone in the community know of any issues with |
9 |
>>> hardened + ipv6? I don't know of any and all my servers have it |
10 |
>>> enables. So, I'm going to add it back in about 1 week. |
11 |
>> |
12 |
>> I don't think there are any issues with it. The only argument I know of |
13 |
>> is that it increases the attack surface for a feature that 0% + epsilon |
14 |
>> of people use. |
15 |
> |
16 |
> Tests done by a colleague show that, right now, the amount of inbound ipv6 |
17 |
> traffic on his systems is none but I can perfectly understand your concerns |
18 |
> even if they should apply only to the network stack itself, as the daemons |
19 |
> listening to v6 should be the same that listen to v4, once configured for dual |
20 |
> stack. |
21 |
> |
22 |
> Anyway, ipv6 has a chance to become relevant by the end of the year as China |
23 |
> and India (among others) won't have quite enough v4 addresses in stock to |
24 |
> support the growth of their networks. |
25 |
|
26 |
This is precisely the point. While on the one hand, it has little |
27 |
current use and does potentially increase attack vectors, on the other |
28 |
hand, ipv4 is depleted and ipv6 is on the horizon. |
29 |
|
30 |
I looked at gentoo bugs for ipv6 and didn't find anything serious. I'm |
31 |
still leaning towards unmasking it. |
32 |
|
33 |
-- |
34 |
Anthony G. Basile, Ph.D. |
35 |
Gentoo Developer |