On 02/09/11 21:09, Anthony G. Basile wrote: > Hi everyone, > > Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its > profiles. To be honest, I see no good reason. I want to add it back. > Before I do, does anyone in the community know of any issues with > hardened + ipv6? I don't know of any and all my servers have it > enables. So, I'm going to add it back in about 1 week.
Hi everyone, I'll chime in on this one. I want to clarify what is being asked, and add my two cents. If you're asking if there are any issues with enabling the ipv6 use flag on the hardened profile, then I haven't run into any. All packages that I've used have compiled and worked as expected. If you're asking if there are any security issues with ipv6 that would effect the hardened profile, then I would have to say yes. The hardened profile is intended to be a security focused profile, and adding ipv6 on by default would cause many issues with unprepared users. Considering that ipv6 is auto-configured by default, and a rouge system can attach itself to a network as a ipv6 router, this is a major concern for users that are unfamiliar with the protocol. Now add that several common packages install with the default configurations of listen on every interface, and the Netfilter firewall separates ipv4/ipv6 with iptables and ip6tables with ip6tables default ALLOW policy, an unprepared user could find their network completely unprotected. A really good example of this is dev-db/mysql, which can be configured to listen on a single address, or all addresses. If database access is needed from a remote system, there's a good chance that it is configured to listen on all addresses. If you enable ipv6, you may end up adding three or more addresses to the mix for link (fe80::/10), local (fc00::/7), and global scopes. If you want to run dual stack with your current ipv4 address plus a fc00::/7 address then you have to listen on all and rely on database/firewall ACLs for protection. In my opinion this shows that dev-db/mysql simply isn't ipv6 ready. Now there are many other packages that work very well with binding to specific addresses, but a lot of those are documented to encourage the use of the "listen on all" mentality, and most will default to this mode. I think the current default of turning the ipv6 use flag off is best. It's not disabled, it's just off. It will need to be defaulted on at some point, but I don't think we are there yet. If a user wants to "brave the ipv6 waters" then let them, there's a lot to learn. I would recommend paging through some of the on-line documentation (HOWTOs and wiki at least) and see if we could add some better configuration examples, or advice for those using dual stack setups, before ipv6 is defaulted on. That's my thoughts on it. Chris
