1 |
On 25/06/2012 12:08, Anthony G. Basile wrote: |
2 |
> Hi everyone, |
3 |
> |
4 |
> We visited this issue during the first ipv6 global day and I asked the |
5 |
> masses: do you want ipv6 on by default or not. There was lots of back |
6 |
> and forth and since it was only a question of default, I left the |
7 |
> status quo, which is off by default. |
8 |
> |
9 |
> But now the ipv6 pressures mount! Diego has made a good argument that |
10 |
> deploying hardened in an ipv6 only environment is a real pita. You |
11 |
> can't get the goodies you need to bootstrap into an ipv6 only |
12 |
> environment. With the growth in ipv6, I think it is time. |
13 |
> |
14 |
> I'm alerting users so that you can make whatever changes you like to |
15 |
> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by |
16 |
> default ipv6 on all hardened profiles. |
17 |
|
18 |
ACK |
19 |
|
20 |
|
21 |
There are plenty of reasons to argue for/against, but the big day when |
22 |
large numbers of servers finally need to be IPV6 aware is coming. Lets |
23 |
start getting our house in order. |
24 |
|
25 |
Probably some notes on disabling ipv6 on a given machine would be |
26 |
helpful, eg: |
27 |
- iptables6 default drop |
28 |
- iptables6 reject |
29 |
- sysctl |
30 |
- blacklist kernel module or build kernel without support |
31 |
- kernel command line option (useful when not modular kernel) |
32 |
|
33 |
Whilst we have the luxury of ipv6 being relatively unprobed and attacks |
34 |
being relatively unusual and light, lets start getting the groundwork |
35 |
developed for a default secure gentoo ipv6 system. |
36 |
|
37 |
Lets switch ipv6 on by default |
38 |
|
39 |
Cheers |
40 |
|
41 |
Ed W |