1 |
I run full dual stacked on my network at home just fine, ip6tables and |
2 |
filtering at the gateway work for me. As far as IPV6 specific |
3 |
vulnerabilities, I think that would be the price to pay (if we decide to go |
4 |
down this route). |
5 |
|
6 |
-- Matthew Thode |
7 |
|
8 |
On Tue, Feb 15, 2011 at 10:52, Alex Efros <powerman@××××××××.name> wrote: |
9 |
|
10 |
> Hi! |
11 |
> |
12 |
> On Fri, Feb 11, 2011 at 06:10:52PM -0500, Anthony G. Basile wrote: |
13 |
> > >> I don't think there are any issues with it. The only argument I know |
14 |
> of |
15 |
> > >> is that it increases the attack surface for a feature that 0% + |
16 |
> epsilon |
17 |
> > >> of people use. |
18 |
> > > Tests done by a colleague show that, right now, the amount of inbound |
19 |
> ipv6 |
20 |
> > > traffic on his systems is none but I can perfectly understand your |
21 |
> concerns |
22 |
> > > even if they should apply only to the network stack itself, as the |
23 |
> daemons |
24 |
> > This is precisely the point. While on the one hand, it has little |
25 |
> > current use and does potentially increase attack vectors, on the other |
26 |
> > hand, ipv4 is depleted and ipv6 is on the horizon. |
27 |
> |
28 |
> Quick Google and CVE searches shows there was many enough vulnerabilities |
29 |
> in all OSes (including Linux) IPv6 stack implementations. And, as we all |
30 |
> know, most of vulnerabilities will be found only after product become |
31 |
> popular and wide used, which doesn't happens to IPv6 yet. |
32 |
> |
33 |
> Keeping this in mind, I think it have sense to avoid enabling IPv6 by |
34 |
> default on hardened until IPv6 will be wide used/tested/hacked on |
35 |
> non-hardened systems for some time or until it become critical feature |
36 |
> required for normal operation on most servers. |
37 |
> |
38 |
> This logic is same as for separating ~x86 and x86 profiles - hardened |
39 |
> profile shouldn't be used to test (for now) useless and potentially |
40 |
> vulnerable features. |
41 |
> |
42 |
> |
43 |
> P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on |
44 |
> secure server also mean doubling nearly all network configuration, |
45 |
> including firewall setup. And while it's well-known how to securely setup |
46 |
> network for IPv4, it still doesn't clear how to do same for IPv6 - both |
47 |
> because IPv6 is much more complex and feature-rich, and because there not |
48 |
> much information/howto available for IPv6 right now. So, I think it have |
49 |
> sense to prepare some documentation about IPv6-related configuration on |
50 |
> gentoo site and notify users with `eselect news` mechanism about it before |
51 |
> enabling default "ipv6" USE-flag in any profile. |
52 |
> |
53 |
> -- |
54 |
> WBR, Alex. |
55 |
> |
56 |
> |