| 1 |
On 26/06/12 05:03, Alex Efros wrote: |
| 2 |
> If I'm right (about creating new security holes because of enabling ipv6 |
| 3 |
> USE flag) then it may be bad idea to enable it by default until we'll be |
| 4 |
> sure admin is ready for this (for example, we may check is IPv6 enabled in |
| 5 |
> kernel and is there exists IPv6 firewall rules). |
| 6 |
|
| 7 |
Yes, you are right. Enabling IPv6 is the same as enabling a completely |
| 8 |
new protocol. Configuration, routing and firewalls needs to be set up. |
| 9 |
|
| 10 |
But there is an easy way to "opt-out" which could easily be described. |
| 11 |
If the default kernel config builds IPv6 support as a module, you can |
| 12 |
easily do 'modprobe -r ipv6' and you don't have IPv6 enabled on a |
| 13 |
running kernel. This can also be added to the modprobe blacklist as |
| 14 |
well, so it's not loaded upon boot. Or for those configuring their own |
| 15 |
kernels, disabling the IPv6 module can be another alternative. These |
| 16 |
alternatives can easily be documented, IMHO. |
| 17 |
|
| 18 |
|
| 19 |
kind regards, |
| 20 |
|
| 21 |
David Sommerseth |
Archives