Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   ipv6 on by default for hardened profile (http://www.linux-archive.org/gentoo-hardened/676823-ipv6-default-hardened-profile.html)

"Anthony G. Basile" 06-25-2012 11:08 AM

ipv6 on by default for hardened profile
 
Hi everyone,

We visited this issue during the first ipv6 global day and I asked the
masses: do you want ipv6 on by default or not. There was lots of back
and forth and since it was only a question of default, I left the status
quo, which is off by default.


But now the ipv6 pressures mount! Diego has made a good argument that
deploying hardened in an ipv6 only environment is a real pita. You
can't get the goodies you need to bootstrap into an ipv6 only
environment. With the growth in ipv6, I think it is time.


I'm alerting users so that you can make whatever changes you like to
ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
default ipv6 on all hardened profiles.



--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Matthew Thode 06-25-2012 01:58 PM

ipv6 on by default for hardened profile
 
On 06/25/2012 06:08 AM, Anthony G. Basile wrote:
> Hi everyone,
>
> We visited this issue during the first ipv6 global day and I asked the
> masses: do you want ipv6 on by default or not. There was lots of back
> and forth and since it was only a question of default, I left the status
> quo, which is off by default.
>
> But now the ipv6 pressures mount! Diego has made a good argument that
> deploying hardened in an ipv6 only environment is a real pita. You
> can't get the goodies you need to bootstrap into an ipv6 only
> environment. With the growth in ipv6, I think it is time.
>
> I'm alerting users so that you can make whatever changes you like to
> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
> default ipv6 on all hardened profiles.
>
>
I use ipv6 on all my servers (not that everyone does). We will have to
enable it eventually, sooner is probably better then later I think.

--
-- Matthew Thode (prometheanfire)

Sven Vermeulen 06-25-2012 02:37 PM

ipv6 on by default for hardened profile
 
On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
> I use ipv6 on all my servers (not that everyone does). We will have to
> enable it eventually, sooner is probably better then later I think.

It's a default, users can still opt-out, so I don't really mind, but we
might want to keep changes on these defaults to a minimum time-wise, not? I
mean, if we now enable ipv6 default (btw, shouldn't that be on the parent
profiles instead?) and then later ldap, and then ... right next to "stage"
these changes for 6 months and do them all at once?

Wkr,
Sven Vermeulen

Matthew Thode 06-25-2012 03:32 PM

ipv6 on by default for hardened profile
 
On 06/25/2012 09:37 AM, Sven Vermeulen wrote:
> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>> I use ipv6 on all my servers (not that everyone does). We will have to
>> enable it eventually, sooner is probably better then later I think.
>
> It's a default, users can still opt-out, so I don't really mind, but we
> might want to keep changes on these defaults to a minimum time-wise, not? I
> mean, if we now enable ipv6 default (btw, shouldn't that be on the parent
> profiles instead?) and then later ldap, and then ... right next to "stage"
> these changes for 6 months and do them all at once?
>
> Wkr,
> Sven Vermeulen
>
Ya, it probably should be on the parent profile, didn't we explicitly
disable it (or was it something else) for hardened though?

--
-- Matthew Thode (prometheanfire)

Alex Efros 06-26-2012 03:03 AM

ipv6 on by default for hardened profile
 
Hi!

On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
> > I'm alerting users so that you can make whatever changes you like to
> > ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
> > default ipv6 on all hardened profiles.
> I use ipv6 on all my servers (not that everyone does). We will have to
> enable it eventually, sooner is probably better then later I think.

Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
different routing tables and two different firewalls. Also, I suppose
enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
may (and probably will!) result in creating new security holes until admin
will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
And I suppose just trying to duplicate existing rules as is won't be
enough because of new IPv6-specific features, which is absent in IPv4,
and which should be additionally blocked/enabled too.

If I'm right (about creating new security holes because of enabling ipv6
USE flag) then it may be bad idea to enable it by default until we'll be
sure admin is ready for this (for example, we may check is IPv6 enabled in
kernel and is there exists IPv6 firewall rules).

BTW, is there exists (Gentoo?) guides/howtos which explain these issues
(preferably from "differences from IPv4" point of view) to average admin
who know how to setup IPv4 and know nothing about IPv6, and provide
minimum recommended configuration for IPv6 routing/firewall? I think
enabling IPv6 by default should begins from writing such docs.

--
WBR, Alex.

Matthew Thode 06-26-2012 04:25 AM

ipv6 on by default for hardened profile
 
On 06/25/2012 10:03 PM, Alex Efros wrote:
> Hi!
>
> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>>> I'm alerting users so that you can make whatever changes you like to
>>> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
>>> default ipv6 on all hardened profiles.
>> I use ipv6 on all my servers (not that everyone does). We will have to
>> enable it eventually, sooner is probably better then later I think.
>
> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> different routing tables and two different firewalls. Also, I suppose
> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
> may (and probably will!) result in creating new security holes until admin
> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
> And I suppose just trying to duplicate existing rules as is won't be
> enough because of new IPv6-specific features, which is absent in IPv4,
> and which should be additionally blocked/enabled too.
>
> If I'm right (about creating new security holes because of enabling ipv6
> USE flag) then it may be bad idea to enable it by default until we'll be
> sure admin is ready for this (for example, we may check is IPv6 enabled in
> kernel and is there exists IPv6 firewall rules).
>
> BTW, is there exists (Gentoo?) guides/howtos which explain these issues
> (preferably from "differences from IPv4" point of view) to average admin
> who know how to setup IPv4 and know nothing about IPv6, and provide
> minimum recommended configuration for IPv6 routing/firewall? I think
> enabling IPv6 by default should begins from writing such docs.
>
You do run into these issues, I think we need to do a news thing for the
hardened profiles if we go ahead and enable it.

--
-- Matthew Thode (prometheanfire)

Michael Orlitzky 06-26-2012 05:43 AM

ipv6 on by default for hardened profile
 
On 06/25/12 23:03, Alex Efros wrote:
>
> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> different routing tables and two different firewalls. Also, I suppose
> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
> may (and probably will!) result in creating new security holes until admin
> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
> And I suppose just trying to duplicate existing rules as is won't be
> enough because of new IPv6-specific features, which is absent in IPv4,
> and which should be additionally blocked/enabled too.

This is where I'm at -- being in the USA, I'll probably be long dead
before our upstream supports ipv6. I don't even know enough about ipv6
to know what I don't know, so the only safe course is to have it disabled.

It's easy enough to set USE="-ipv6" manually of course, but the same
argument works for USE="ipv6". So, I think the default should be what
most people want; i.e. what the fewest people will have to override. Do
most hardened machines use ipv6?

Jonny Kent 06-26-2012 06:26 AM

ipv6 on by default for hardened profile
 
On Jun 25, 2012, at 10:43 PM, Michael Orlitzky <michael@orlitzky.com> wrote:

> On 06/25/12 23:03, Alex Efros wrote:
>>
>> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
>> different routing tables and two different firewalls. Also, I suppose
>> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
>> may (and probably will!) result in creating new security holes until admin
>> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
>> And I suppose just trying to duplicate existing rules as is won't be
>> enough because of new IPv6-specific features, which is absent in IPv4,
>> and which should be additionally blocked/enabled too.
>
> This is where I'm at -- being in the USA, I'll probably be long dead
> before our upstream supports ipv6. I don't even know enough about ipv6
> to know what I don't know, so the only safe course is to have it disabled.
>
> It's easy enough to set USE="-ipv6" manually of course, but the same
> argument works for USE="ipv6". So, I think the default should be what
> most people want; i.e. what the fewest people will have to override. Do
> most hardened machines use
As an end user of hardened working in a California educational institution I note that my institution doesn't yet have either firewall or router rules stabilized for ipv6 yet and don't expect them for probably another 6 months so whatever is decided it will be off on the servers I administer.
Alex makes good points about the lack of expertise in ipv6 firewalls. Having ipv6 on by default would seem to be going against the spirit of the hardened profile since it opens systems to new attack vectors created unwittingly.

Darknight 06-26-2012 07:38 AM

ipv6 on by default for hardened profile
 
Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
- no scary (j/k) ipv6 enabled by default
- ipv6 enabled in a matter of seconds without need for an internet
connection


The news item and a word about the sysctl thing in the docs would be good.

Michael Orlitzky 06-26-2012 07:49 AM

ipv6 on by default for hardened profile
 
On 06/26/2012 03:38 AM, Darknight wrote:
> Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
> - no scary (j/k) ipv6 enabled by default
> - ipv6 enabled in a matter of seconds without need for an internet
> connection
>
> The news item and a word about the sysctl thing in the docs would be good.
>

Does this actually work, or does it cause half of the software compiled
with USE="ipv6" to crash?

Also, I don't think it's much easier than setting USE="-ipv6" =)


All times are GMT. The time now is 09:25 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.