| 1 |
On 02/09/11 21:09, Anthony G. Basile wrote: |
| 2 |
> Hi everyone, |
| 3 |
> |
| 4 |
> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its |
| 5 |
> profiles. To be honest, I see no good reason. I want to add it back. |
| 6 |
> Before I do, does anyone in the community know of any issues with |
| 7 |
> hardened + ipv6? I don't know of any and all my servers have it |
| 8 |
> enables. So, I'm going to add it back in about 1 week. |
| 9 |
|
| 10 |
Hi everyone, |
| 11 |
|
| 12 |
I'll chime in on this one. I want to clarify what is being asked, and add my two cents. |
| 13 |
|
| 14 |
If you're asking if there are any issues with enabling the ipv6 use flag on the hardened profile, then I haven't run into any. All packages |
| 15 |
that I've used have compiled and worked as expected. If you're asking if there are any security issues with ipv6 that would effect the hardened |
| 16 |
profile, then I would have to say yes. The hardened profile is intended to be a security focused profile, and adding ipv6 on by default would |
| 17 |
cause many issues with unprepared users. |
| 18 |
|
| 19 |
Considering that ipv6 is auto-configured by default, and a rouge system can attach itself to a network as a ipv6 router, this is a major concern |
| 20 |
for users that are unfamiliar with the protocol. Now add that several common packages install with the default configurations of listen on |
| 21 |
every interface, and the Netfilter firewall separates ipv4/ipv6 with iptables and ip6tables with ip6tables default ALLOW policy, an unprepared |
| 22 |
user could find their network completely unprotected. |
| 23 |
|
| 24 |
A really good example of this is dev-db/mysql, which can be configured to listen on a single address, or all addresses. If database access is |
| 25 |
needed from a remote system, there's a good chance that it is configured to listen on all addresses. If you enable ipv6, you may end up adding |
| 26 |
three or more addresses to the mix for link (fe80::/10), local (fc00::/7), and global scopes. If you want to run dual stack with your current |
| 27 |
ipv4 address plus a fc00::/7 address then you have to listen on all and rely on database/firewall ACLs for protection. In my opinion this shows |
| 28 |
that dev-db/mysql simply isn't ipv6 ready. Now there are many other packages that work very well with binding to specific addresses, but a lot |
| 29 |
of those are documented to encourage the use of the "listen on all" mentality, and most will default to this mode. |
| 30 |
|
| 31 |
I think the current default of turning the ipv6 use flag off is best. It's not disabled, it's just off. It will need to be defaulted on at |
| 32 |
some point, but I don't think we are there yet. If a user wants to "brave the ipv6 waters" then let them, there's a lot to learn. I would |
| 33 |
recommend paging through some of the on-line documentation (HOWTOs and wiki at least) and see if we could add some better configuration |
| 34 |
examples, or advice for those using dual stack setups, before ipv6 is defaulted on. |
| 35 |
|
| 36 |
That's my thoughts on it. |
| 37 |
|
| 38 |
Chris |
Archives