FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 02-10-2011, 02:09 AM
"Anthony G. Basile"
 
Default Adding ipv6 USE flag by default

Hi everyone,

Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
profiles. To be honest, I see no good reason. I want to add it back.
Before I do, does anyone in the community know of any issues with
hardened + ipv6? I don't know of any and all my servers have it
enables. So, I'm going to add it back in about 1 week.


--
Anthony G. Basile, Ph.D.
Gentoo Developer
 
Old 02-10-2011, 07:03 PM
Michael Orlitzky
 
Default Adding ipv6 USE flag by default

On 02/09/11 22:09, Anthony G. Basile wrote:
> Hi everyone,
>
> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
> profiles. To be honest, I see no good reason. I want to add it back.
> Before I do, does anyone in the community know of any issues with
> hardened + ipv6? I don't know of any and all my servers have it
> enables. So, I'm going to add it back in about 1 week.
>

I don't think there are any issues with it. The only argument I know of
is that it increases the attack surface for a feature that 0% + epsilon
of people use.
 
Old 02-11-2011, 07:32 AM
Darknight
 
Default Adding ipv6 USE flag by default

2011-02-10 21:03:01 Michael Orlitzky
> On 02/09/11 22:09, Anthony G. Basile wrote:
> > Hi everyone,
> >
> > Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
> > profiles. To be honest, I see no good reason. I want to add it back.
> > Before I do, does anyone in the community know of any issues with
> > hardened + ipv6? I don't know of any and all my servers have it
> > enables. So, I'm going to add it back in about 1 week.
>
> I don't think there are any issues with it. The only argument I know of
> is that it increases the attack surface for a feature that 0% + epsilon
> of people use.

Tests done by a colleague show that, right now, the amount of inbound ipv6
traffic on his systems is none but I can perfectly understand your concerns
even if they should apply only to the network stack itself, as the daemons
listening to v6 should be the same that listen to v4, once configured for dual
stack.

Anyway, ipv6 has a chance to become relevant by the end of the year as China
and India (among others) won't have quite enough v4 addresses in stock to
support the growth of their networks.
 
Old 02-11-2011, 10:10 PM
"Anthony G. Basile"
 
Default Adding ipv6 USE flag by default

On 02/11/2011 03:32 AM, Darknight wrote:
> 2011-02-10 21:03:01 Michael Orlitzky
>> On 02/09/11 22:09, Anthony G. Basile wrote:
>>> Hi everyone,
>>>
>>> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
>>> profiles. To be honest, I see no good reason. I want to add it back.
>>> Before I do, does anyone in the community know of any issues with
>>> hardened + ipv6? I don't know of any and all my servers have it
>>> enables. So, I'm going to add it back in about 1 week.
>>
>> I don't think there are any issues with it. The only argument I know of
>> is that it increases the attack surface for a feature that 0% + epsilon
>> of people use.
>
> Tests done by a colleague show that, right now, the amount of inbound ipv6
> traffic on his systems is none but I can perfectly understand your concerns
> even if they should apply only to the network stack itself, as the daemons
> listening to v6 should be the same that listen to v4, once configured for dual
> stack.
>
> Anyway, ipv6 has a chance to become relevant by the end of the year as China
> and India (among others) won't have quite enough v4 addresses in stock to
> support the growth of their networks.

This is precisely the point. While on the one hand, it has little
current use and does potentially increase attack vectors, on the other
hand, ipv4 is depleted and ipv6 is on the horizon.

I looked at gentoo bugs for ipv6 and didn't find anything serious. I'm
still leaning towards unmasking it.

--
Anthony G. Basile, Ph.D.
Gentoo Developer
 
Old 02-15-2011, 10:53 AM
Ed W
 
Default Adding ipv6 USE flag by default

Tests done by a colleague show that, right now, the amount of inbound ipv6
traffic on his systems is none but I can perfectly understand your concerns
even if they should apply only to the network stack itself, as the daemons
listening to v6 should be the same that listen to v4, once configured for dual
stack.

Anyway, ipv6 has a chance to become relevant by the end of the year as China
and India (among others) won't have quite enough v4 addresses in stock to
support the growth of their networks.

This is precisely the point. While on the one hand, it has little
current use and does potentially increase attack vectors, on the other
hand, ipv4 is depleted and ipv6 is on the horizon.

I looked at gentoo bugs for ipv6 and didn't find anything serious. I'm
still leaning towards unmasking it.



It's the whole catch 22 that there isn't any traffic because it's not
deployed and not deployed because there is no one to talk to...


I think we all have to transition to ipv6 quite quickly so the only
sensible option is to bite the bullet and enable it. I have it enabled
on all my hardened servers...


I would have thought the sensible rollout strategy for organisations is
to start gently with internal only deployments to get experience and
gradually incorporate the rest of the internet as it becomes more
common. Hopefully in this way most problems will be limited to internal
only at first...


Cheers

Ed W
 
Old 02-15-2011, 11:17 AM
Tom Hendrikx
 
Default Adding ipv6 USE flag by default

On 15/02/11 12:53, Ed W wrote:
>
>>> Tests done by a colleague show that, right now, the amount of inbound
>>> ipv6
>>> traffic on his systems is none but I can perfectly understand your
>>> concerns
>>> even if they should apply only to the network stack itself, as the
>>> daemons
>>> listening to v6 should be the same that listen to v4, once configured
>>> for dual
>>> stack.
>>>
>>> Anyway, ipv6 has a chance to become relevant by the end of the year
>>> as China
>>> and India (among others) won't have quite enough v4 addresses in
>>> stock to
>>> support the growth of their networks.
>> This is precisely the point. While on the one hand, it has little
>> current use and does potentially increase attack vectors, on the other
>> hand, ipv4 is depleted and ipv6 is on the horizon.
>>
>> I looked at gentoo bugs for ipv6 and didn't find anything serious. I'm
>> still leaning towards unmasking it.
>>
>
> It's the whole catch 22 that there isn't any traffic because it's not
> deployed and not deployed because there is no one to talk to...
>
> I think we all have to transition to ipv6 quite quickly so the only
> sensible option is to bite the bullet and enable it. I have it enabled
> on all my hardened servers...
>
> I would have thought the sensible rollout strategy for organisations is
> to start gently with internal only deployments to get experience and
> gradually incorporate the rest of the internet as it becomes more
> common. Hopefully in this way most problems will be limited to internal
> only at first...
>

I am running 2 boxen with hardened gentoo with ipv6 enabled (one native,
one through a tunnel broker). I've seen no issues with ipv6 during
deployment or while running services.

A third box is ipv4 only, but was expected to get ipv6 connectivity
quite soon after deploymenty. I disabled ipv6 USE flag and recompiled
all affected packages some time after delpoyment. The only reason to do
this was that logs were 'flooded' because applications tried to load the
net-pf-10 kernel module. There probably is a more elegant way to fix
that minor issue. I did not test a setup where the ipv6 kernel stuff is
enabled/loaded when connectivity is not available (other than in localhost).

--
Tom
 
Old 02-15-2011, 02:13 PM
Matthew Thode
 
Default Adding ipv6 USE flag by default

I can also verify that I used ipv6 to get the cert with he.net (with them as the tunnel broker) for whatever that's worth.
-- Matthew Thode



On Tue, Feb 15, 2011 at 07:17, Tom Hendrikx <tom@whyscream.net> wrote:


On 15/02/11 12:53, Ed W wrote:

>

>>> Tests done by a colleague show that, right now, the amount of inbound

>>> ipv6

>>> traffic on his systems is none but I can perfectly understand your

>>> concerns

>>> even if they should apply only to the network stack itself, as the

>>> daemons

>>> listening to v6 should be the same that listen to v4, once configured

>>> for dual

>>> stack.

>>>

>>> Anyway, ipv6 has a chance to become relevant by the end of the year

>>> as China

>>> and India (among others) won't have quite enough v4 addresses in

>>> stock to

>>> support the growth of their networks.

>> This is precisely the point. *While on the one hand, it has little

>> current use and does potentially increase attack vectors, on the other

>> hand, ipv4 is depleted and ipv6 is on the horizon.

>>

>> I looked at gentoo bugs for ipv6 and didn't find anything serious. *I'm

>> still leaning towards unmasking it.

>>

>

> It's the whole catch 22 that there isn't any traffic because it's not

> deployed and not deployed because there is no one to talk to...

>

> I think we all have to transition to ipv6 quite quickly so the only

> sensible option is to bite the bullet and enable it. *I have it enabled

> on all my hardened servers...

>

> I would have thought the sensible rollout strategy for organisations is

> to start gently with internal only deployments to get experience and

> gradually incorporate the rest of the internet as it becomes more

> common. *Hopefully in this way most problems will be limited to internal

> only at first...

>



I am running 2 boxen with hardened gentoo with ipv6 enabled (one native,

one through a tunnel broker). I've seen no issues with ipv6 during

deployment or while running services.



A third box is ipv4 only, but was expected to get ipv6 connectivity

quite soon after deploymenty. I disabled ipv6 USE flag *and recompiled

all affected packages some time after delpoyment. The only reason to do

this was that logs were 'flooded' because applications tried to load the

net-pf-10 kernel module. There probably is a more elegant way to fix

that minor issue. I did not test a setup where the ipv6 kernel stuff is

enabled/loaded when connectivity is not available (other than in localhost).



--

Tom
 
Old 02-15-2011, 02:52 PM
Alex Efros
 
Default Adding ipv6 USE flag by default

Hi!

On Fri, Feb 11, 2011 at 06:10:52PM -0500, Anthony G. Basile wrote:
> >> I don't think there are any issues with it. The only argument I know of
> >> is that it increases the attack surface for a feature that 0% + epsilon
> >> of people use.
> > Tests done by a colleague show that, right now, the amount of inbound ipv6
> > traffic on his systems is none but I can perfectly understand your concerns
> > even if they should apply only to the network stack itself, as the daemons
> This is precisely the point. While on the one hand, it has little
> current use and does potentially increase attack vectors, on the other
> hand, ipv4 is depleted and ipv6 is on the horizon.

Quick Google and CVE searches shows there was many enough vulnerabilities
in all OSes (including Linux) IPv6 stack implementations. And, as we all
know, most of vulnerabilities will be found only after product become
popular and wide used, which doesn't happens to IPv6 yet.

Keeping this in mind, I think it have sense to avoid enabling IPv6 by
default on hardened until IPv6 will be wide used/tested/hacked on
non-hardened systems for some time or until it become critical feature
required for normal operation on most servers.

This logic is same as for separating ~x86 and x86 profiles - hardened
profile shouldn't be used to test (for now) useless and potentially
vulnerable features.


P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on
secure server also mean doubling nearly all network configuration,
including firewall setup. And while it's well-known how to securely setup
network for IPv4, it still doesn't clear how to do same for IPv6 - both
because IPv6 is much more complex and feature-rich, and because there not
much information/howto available for IPv6 right now. So, I think it have
sense to prepare some documentation about IPv6-related configuration on
gentoo site and notify users with `eselect news` mechanism about it before
enabling default "ipv6" USE-flag in any profile.

--
WBR, Alex.
 
Old 02-15-2011, 03:05 PM
Matthew Thode
 
Default Adding ipv6 USE flag by default

I run full dual stacked on my network at home just fine, ip6tables and filtering at the gateway work for me. *As far as IPV6 specific vulnerabilities, I think that would be the price to pay (if we decide to go down this route).


-- Matthew Thode

On Tue, Feb 15, 2011 at 10:52, Alex Efros <powerman@powerman.name> wrote:


Hi!



On Fri, Feb 11, 2011 at 06:10:52PM -0500, Anthony G. Basile wrote:

> >> I don't think there are any issues with it. The only argument I know of

> >> is that it increases the attack surface for a feature that 0% + epsilon

> >> of people use.

> > Tests done by a colleague show that, right now, the amount of inbound ipv6

> > traffic on his systems is none but I can perfectly understand your concerns

> > even if they should apply only to the network stack itself, as the daemons

> This is precisely the point. *While on the one hand, it has little

> current use and does potentially increase attack vectors, on the other

> hand, ipv4 is depleted and ipv6 is on the horizon.



Quick Google and CVE searches shows there was many enough vulnerabilities

in all OSes (including Linux) IPv6 stack implementations. And, as we all

know, most of vulnerabilities will be found only after product become

popular and wide used, which doesn't happens to IPv6 yet.



Keeping this in mind, I think it have sense to avoid enabling IPv6 by

default on hardened until IPv6 will be wide used/tested/hacked on

non-hardened systems for some time or until it become critical feature

required for normal operation on most servers.



This logic is same as for separating ~x86 and x86 profiles - hardened

profile shouldn't be used to test (for now) useless and potentially

vulnerable features.





P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on

secure server also mean doubling nearly all network configuration,

including firewall setup. And while it's well-known how to securely setup

network for IPv4, it still doesn't clear how to do same for IPv6 - both

because IPv6 is much more complex and feature-rich, and because there not

much information/howto available for IPv6 right now. So, I think it have

sense to prepare some documentation about IPv6-related configuration on

gentoo site and notify users with `eselect news` mechanism about it before

enabling default "ipv6" USE-flag in any profile.



--

* * * * * * * * * * * *WBR, Alex.
 
Old 02-15-2011, 03:05 PM
Michael Orlitzky
 
Default Adding ipv6 USE flag by default

On 02/15/2011 10:52 AM, Alex Efros wrote:
> Hi!
>
> Quick Google and CVE searches shows there was many enough vulnerabilities
> in all OSes (including Linux) IPv6 stack implementations. And, as we all
> know, most of vulnerabilities will be found only after product become
> popular and wide used, which doesn't happens to IPv6 yet.
>
> Keeping this in mind, I think it have sense to avoid enabling IPv6 by
> default on hardened until IPv6 will be wide used/tested/hacked on
> non-hardened systems for some time or until it become critical feature
> required for normal operation on most servers.
>
> This logic is same as for separating ~x86 and x86 profiles - hardened
> profile shouldn't be used to test (for now) useless and potentially
> vulnerable features.
>
>
> P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on
> secure server also mean doubling nearly all network configuration,
> including firewall setup. And while it's well-known how to securely setup
> network for IPv4, it still doesn't clear how to do same for IPv6 - both
> because IPv6 is much more complex and feature-rich, and because there not
> much information/howto available for IPv6 right now. So, I think it have
> sense to prepare some documentation about IPv6-related configuration on
> gentoo site and notify users with `eselect news` mechanism about it before
> enabling default "ipv6" USE-flag in any profile.
>

I tend to agree; it's not like ipv6 is disabled, it's just off by
default. My biggest concern however is for the people who run apache,
postfix, dovecot, etc. with the equivalent of,

listen = *

who will suddenly be listening on ipv6 addresses (and possibly not know
it) after a recompile. Are all these ipv6-listening services secure? Who
knows, because no one's using them.

The default unconfigured state is probably safe from the network, but I
wouldn't be able to say for sure unless I spent a couple of weeks
bringing myself up to speed on ipv6.
 

Thread Tools




All times are GMT. The time now is 12:23 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org