1 |
On 02/09/11 21:09, Anthony G. Basile wrote: |
2 |
> Hi everyone, |
3 |
> |
4 |
> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its |
5 |
> profiles. To be honest, I see no good reason. I want to add it back. |
6 |
> Before I do, does anyone in the community know of any issues with |
7 |
> hardened + ipv6? I don't know of any and all my servers have it |
8 |
> enables. So, I'm going to add it back in about 1 week. |
9 |
|
10 |
Hi everyone, |
11 |
|
12 |
I'll chime in on this one. I want to clarify what is being asked, and add my two cents. |
13 |
|
14 |
If you're asking if there are any issues with enabling the ipv6 use flag on the hardened profile, then I haven't run into any. All packages |
15 |
that I've used have compiled and worked as expected. If you're asking if there are any security issues with ipv6 that would effect the hardened |
16 |
profile, then I would have to say yes. The hardened profile is intended to be a security focused profile, and adding ipv6 on by default would |
17 |
cause many issues with unprepared users. |
18 |
|
19 |
Considering that ipv6 is auto-configured by default, and a rouge system can attach itself to a network as a ipv6 router, this is a major concern |
20 |
for users that are unfamiliar with the protocol. Now add that several common packages install with the default configurations of listen on |
21 |
every interface, and the Netfilter firewall separates ipv4/ipv6 with iptables and ip6tables with ip6tables default ALLOW policy, an unprepared |
22 |
user could find their network completely unprotected. |
23 |
|
24 |
A really good example of this is dev-db/mysql, which can be configured to listen on a single address, or all addresses. If database access is |
25 |
needed from a remote system, there's a good chance that it is configured to listen on all addresses. If you enable ipv6, you may end up adding |
26 |
three or more addresses to the mix for link (fe80::/10), local (fc00::/7), and global scopes. If you want to run dual stack with your current |
27 |
ipv4 address plus a fc00::/7 address then you have to listen on all and rely on database/firewall ACLs for protection. In my opinion this shows |
28 |
that dev-db/mysql simply isn't ipv6 ready. Now there are many other packages that work very well with binding to specific addresses, but a lot |
29 |
of those are documented to encourage the use of the "listen on all" mentality, and most will default to this mode. |
30 |
|
31 |
I think the current default of turning the ipv6 use flag off is best. It's not disabled, it's just off. It will need to be defaulted on at |
32 |
some point, but I don't think we are there yet. If a user wants to "brave the ipv6 waters" then let them, there's a lot to learn. I would |
33 |
recommend paging through some of the on-line documentation (HOWTOs and wiki at least) and see if we could add some better configuration |
34 |
examples, or advice for those using dual stack setups, before ipv6 is defaulted on. |
35 |
|
36 |
That's my thoughts on it. |
37 |
|
38 |
Chris |