| 1 |
El 26/06/12 08:26, Jonny Kent escribió: |
| 2 |
> |
| 3 |
> On Jun 25, 2012, at 10:43 PM, Michael Orlitzky <michael@××××××××.com> wrote: |
| 4 |
> |
| 5 |
>> On 06/25/12 23:03, Alex Efros wrote: |
| 6 |
>>> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two |
| 7 |
>>> different routing tables and two different firewalls. Also, I suppose |
| 8 |
>>> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules |
| 9 |
>>> may (and probably will!) result in creating new security holes until admin |
| 10 |
>>> will develop IPv6 firewall rules similar to existing IPv4 firewall rules. |
| 11 |
>>> And I suppose just trying to duplicate existing rules as is won't be |
| 12 |
>>> enough because of new IPv6-specific features, which is absent in IPv4, |
| 13 |
>>> and which should be additionally blocked/enabled too. |
| 14 |
>> This is where I'm at -- being in the USA, I'll probably be long dead |
| 15 |
>> before our upstream supports ipv6. I don't even know enough about ipv6 |
| 16 |
>> to know what I don't know, so the only safe course is to have it disabled. |
| 17 |
>> |
| 18 |
>> It's easy enough to set USE="-ipv6" manually of course, but the same |
| 19 |
>> argument works for USE="ipv6". So, I think the default should be what |
| 20 |
>> most people want; i.e. what the fewest people will have to override. Do |
| 21 |
>> most hardened machines use |
| 22 |
> As an end user of hardened working in a California educational institution I note that my institution doesn't yet have either firewall or router rules stabilized for ipv6 yet and don't expect them for probably another 6 months so whatever is decided it will be off on the servers I administer. |
| 23 |
> Alex makes good points about the lack of expertise in ipv6 firewalls. Having ipv6 on by default would seem to be going against the spirit of the hardened profile since it opens systems to new attack vectors created unwittingly. |
| 24 |
I have to disagree here, the hardened spirit is way more as described in |
| 25 |
the Project Description at http://www.gentoo.org/proj/en/hardened/ |
| 26 |
> |
| 27 |
> Hardened Gentoo is a project which oversees the research, |
| 28 |
> implementation, and maintenance of security oriented projects for |
| 29 |
> Gentoo Linux. We are a team of very competent individuals dedicated to |
| 30 |
> bring advanced security to Gentoo with a number of subprojects. |
| 31 |
> |
| 32 |
Since ipv6 brings new security features to its users (like larger |
| 33 |
address spaces making port scans over the network much harder) it |
| 34 |
doesn't make sense to complicate the life to the people wanting to use |
| 35 |
it on a hardened system for the sake of an negligible security risks |
| 36 |
(larger text sections on some programs). This is manily because if you |
| 37 |
don't want ipv6 you'll not enable it on the kernel anyway since by doing |
| 38 |
so your stack will be exposed. |
Archives