On 15/02/11 16:52, Alex Efros wrote:
[...snip...]
>
> Keeping this in mind, I think it have sense to avoid enabling IPv6 by
> default on hardened until IPv6 will be wide used/tested/hacked on
> non-hardened systems for some time or until it become critical feature
> required for normal operation on most servers.
IMHO, this logic doesn't really make sense. This is a backwards attitude.
IPv6 will come for sure, we *need* to implement it. Not enabling it now,
will just postpone these security issues further. It's better to flush out
those security issues ASAP before even more people uses it.
Also consider that most distributions (including
RHEL/CentOS/ScientificLinux 5 - with 2.6.18 based kernels) ships with IPv6
enabled. In addition security issues gets found and fixed quicker with
broader usages. In most distros security fixes gets included rather
quickly, even into the upstream kernels and applications, no matter IPv4 or
IPv6.
[...snip...]
> P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on
> secure server also mean doubling nearly all network configuration,
> including firewall setup. And while it's well-known how to securely setup
> network for IPv4, it still doesn't clear how to do same for IPv6 - both
> because IPv6 is much more complex and feature-rich, and because there not
> much information/howto available for IPv6 right now.
This is much more fear of something new. IPv6 is a different protocol, but
when using it, it behaves very much the same as IPv4. You just need to use
ip6tables instead of iptables to do filtering, and the addresses look
differently.
For those really not ready to dive into the IPv6 world yet, they should
rather compile their kernel without IPv6 support or blacklist the ipv6
kernel module. Then, no IPv6 traffic will be tackled. And all the user
space can still be IPv6 enabled.
> So, I think it have
> sense to prepare some documentation about IPv6-related configuration on
> gentoo site and notify users with `eselect news` mechanism about it before
> enabling default "ipv6" USE-flag in any profile.
Documentation is *always* a good thing. So improving documentation related
to IPv6 is not a bad thing.
<rant>
But the fact is, which many have not understood: IPv6 simplifies networks
much more than complicates it.
- There is no netowork address (like 192.168.0.0 for 192.168.0.0/24)
- There is no broadcast address (like 192.168.0.255)
- There is no 127.0.0.0/8 localhost subnet - only ::1
- There is no NAT - only public IP addresses - which needs to be filtered
- Automatic stateless and stateful configuration (if using radvd or DHCPv6)
- Manual IPv6 is still an option for those wanting that
- Subnetting a /48 or /56 subnet is very easy.
{your IPv6 prefix}:{your subnet address} - which gives you a /64 subnet
for your network zone ... and you basically don't need to think about
any other network masks. A /48 subnet gives you 0000 to FFFF as valid
subnet addresses after your IPv6 prefix from your ISP. A /56 subnet
gives 00 to FF as valid subnet address. And just think about it ... /48
leaves space for 16 bits for subnetting, so 48 + 16 = 64, hence /64.
And the same for 56 + 8 = 64. There is really no big magic. 8 bits
gives you values 00-FF, 16 bits gives you 0000-FFFF. And the ISP prefix
defines your IPv6 address scope. You can do whatever you'd like with
that.
The only tricky thing is that you need to enable some ICMPv6 traffic on
your internal networks. But if you just open up for all ICMPv6 on internal
interfaces, you're practically good to go.
Routing is exactly the same as on IPv4. You need to either use 'ip -6
route' or 'route -6' so modify the IPv6 routing table.
So the biggest difference, is basically the new addressing scheme, with 128
bits available instead of 32bits. That's all, from the users perspective.
What probably should be done is to enable a default IPv6 iptables config
which is loaded by default ... which just sets default policy to DROP on
INPUT, FORWARD and OUTPUT ... that way, users need to modify the ip6tables
rules to gain access. That way we won't take anyone by surprise.
This is really not rocket science! Even though it might feel so in the
beginning. But take of your IPv4 hat, and accept that IPv6 is simpler to
setup - and you'll get far very quickly.
</rant>
But my core message is, enable IPv6 in all packages asap. Blocking IPv6
should not be done on application level. That should happen on the kernel
level.
kind regards,
David Sommerseth
