| 1 |
On 25/06/2012 12:08, Anthony G. Basile wrote: |
| 2 |
> Hi everyone, |
| 3 |
> |
| 4 |
> We visited this issue during the first ipv6 global day and I asked the |
| 5 |
> masses: do you want ipv6 on by default or not. There was lots of back |
| 6 |
> and forth and since it was only a question of default, I left the |
| 7 |
> status quo, which is off by default. |
| 8 |
> |
| 9 |
> But now the ipv6 pressures mount! Diego has made a good argument that |
| 10 |
> deploying hardened in an ipv6 only environment is a real pita. You |
| 11 |
> can't get the goodies you need to bootstrap into an ipv6 only |
| 12 |
> environment. With the growth in ipv6, I think it is time. |
| 13 |
> |
| 14 |
> I'm alerting users so that you can make whatever changes you like to |
| 15 |
> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by |
| 16 |
> default ipv6 on all hardened profiles. |
| 17 |
|
| 18 |
ACK |
| 19 |
|
| 20 |
|
| 21 |
There are plenty of reasons to argue for/against, but the big day when |
| 22 |
large numbers of servers finally need to be IPV6 aware is coming. Lets |
| 23 |
start getting our house in order. |
| 24 |
|
| 25 |
Probably some notes on disabling ipv6 on a given machine would be |
| 26 |
helpful, eg: |
| 27 |
- iptables6 default drop |
| 28 |
- iptables6 reject |
| 29 |
- sysctl |
| 30 |
- blacklist kernel module or build kernel without support |
| 31 |
- kernel command line option (useful when not modular kernel) |
| 32 |
|
| 33 |
Whilst we have the luxury of ipv6 being relatively unprobed and attacks |
| 34 |
being relatively unusual and light, lets start getting the groundwork |
| 35 |
developed for a default secure gentoo ipv6 system. |
| 36 |
|
| 37 |
Lets switch ipv6 on by default |
| 38 |
|
| 39 |
Cheers |
| 40 |
|
| 41 |
Ed W |
Archives