| 1 |
On Jun 25, 2012, at 10:43 PM, Michael Orlitzky <michael@××××××××.com> wrote: |
| 2 |
|
| 3 |
> On 06/25/12 23:03, Alex Efros wrote: |
| 4 |
>> |
| 5 |
>> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two |
| 6 |
>> different routing tables and two different firewalls. Also, I suppose |
| 7 |
>> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules |
| 8 |
>> may (and probably will!) result in creating new security holes until admin |
| 9 |
>> will develop IPv6 firewall rules similar to existing IPv4 firewall rules. |
| 10 |
>> And I suppose just trying to duplicate existing rules as is won't be |
| 11 |
>> enough because of new IPv6-specific features, which is absent in IPv4, |
| 12 |
>> and which should be additionally blocked/enabled too. |
| 13 |
> |
| 14 |
> This is where I'm at -- being in the USA, I'll probably be long dead |
| 15 |
> before our upstream supports ipv6. I don't even know enough about ipv6 |
| 16 |
> to know what I don't know, so the only safe course is to have it disabled. |
| 17 |
> |
| 18 |
> It's easy enough to set USE="-ipv6" manually of course, but the same |
| 19 |
> argument works for USE="ipv6". So, I think the default should be what |
| 20 |
> most people want; i.e. what the fewest people will have to override. Do |
| 21 |
> most hardened machines use |
| 22 |
As an end user of hardened working in a California educational institution I note that my institution doesn't yet have either firewall or router rules stabilized for ipv6 yet and don't expect them for probably another 6 months so whatever is decided it will be off on the servers I administer. |
| 23 |
Alex makes good points about the lack of expertise in ipv6 firewalls. Having ipv6 on by default would seem to be going against the spirit of the hardened profile since it opens systems to new attack vectors created unwittingly. |
Archives