FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 06-25-2012, 11:08 AM
"Anthony G. Basile"
 
Default ipv6 on by default for hardened profile

Hi everyone,

We visited this issue during the first ipv6 global day and I asked the
masses: do you want ipv6 on by default or not. There was lots of back
and forth and since it was only a question of default, I left the status
quo, which is off by default.


But now the ipv6 pressures mount! Diego has made a good argument that
deploying hardened in an ipv6 only environment is a real pita. You
can't get the goodies you need to bootstrap into an ipv6 only
environment. With the growth in ipv6, I think it is time.


I'm alerting users so that you can make whatever changes you like to
ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
default ipv6 on all hardened profiles.



--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
 
Old 06-25-2012, 01:58 PM
Matthew Thode
 
Default ipv6 on by default for hardened profile

On 06/25/2012 06:08 AM, Anthony G. Basile wrote:
> Hi everyone,
>
> We visited this issue during the first ipv6 global day and I asked the
> masses: do you want ipv6 on by default or not. There was lots of back
> and forth and since it was only a question of default, I left the status
> quo, which is off by default.
>
> But now the ipv6 pressures mount! Diego has made a good argument that
> deploying hardened in an ipv6 only environment is a real pita. You
> can't get the goodies you need to bootstrap into an ipv6 only
> environment. With the growth in ipv6, I think it is time.
>
> I'm alerting users so that you can make whatever changes you like to
> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
> default ipv6 on all hardened profiles.
>
>
I use ipv6 on all my servers (not that everyone does). We will have to
enable it eventually, sooner is probably better then later I think.

--
-- Matthew Thode (prometheanfire)
 
Old 06-25-2012, 02:37 PM
Sven Vermeulen
 
Default ipv6 on by default for hardened profile

On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
> I use ipv6 on all my servers (not that everyone does). We will have to
> enable it eventually, sooner is probably better then later I think.

It's a default, users can still opt-out, so I don't really mind, but we
might want to keep changes on these defaults to a minimum time-wise, not? I
mean, if we now enable ipv6 default (btw, shouldn't that be on the parent
profiles instead?) and then later ldap, and then ... right next to "stage"
these changes for 6 months and do them all at once?

Wkr,
Sven Vermeulen
 
Old 06-25-2012, 03:32 PM
Matthew Thode
 
Default ipv6 on by default for hardened profile

On 06/25/2012 09:37 AM, Sven Vermeulen wrote:
> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>> I use ipv6 on all my servers (not that everyone does). We will have to
>> enable it eventually, sooner is probably better then later I think.
>
> It's a default, users can still opt-out, so I don't really mind, but we
> might want to keep changes on these defaults to a minimum time-wise, not? I
> mean, if we now enable ipv6 default (btw, shouldn't that be on the parent
> profiles instead?) and then later ldap, and then ... right next to "stage"
> these changes for 6 months and do them all at once?
>
> Wkr,
> Sven Vermeulen
>
Ya, it probably should be on the parent profile, didn't we explicitly
disable it (or was it something else) for hardened though?

--
-- Matthew Thode (prometheanfire)
 
Old 06-26-2012, 03:03 AM
Alex Efros
 
Default ipv6 on by default for hardened profile

Hi!

On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
> > I'm alerting users so that you can make whatever changes you like to
> > ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
> > default ipv6 on all hardened profiles.
> I use ipv6 on all my servers (not that everyone does). We will have to
> enable it eventually, sooner is probably better then later I think.

Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
different routing tables and two different firewalls. Also, I suppose
enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
may (and probably will!) result in creating new security holes until admin
will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
And I suppose just trying to duplicate existing rules as is won't be
enough because of new IPv6-specific features, which is absent in IPv4,
and which should be additionally blocked/enabled too.

If I'm right (about creating new security holes because of enabling ipv6
USE flag) then it may be bad idea to enable it by default until we'll be
sure admin is ready for this (for example, we may check is IPv6 enabled in
kernel and is there exists IPv6 firewall rules).

BTW, is there exists (Gentoo?) guides/howtos which explain these issues
(preferably from "differences from IPv4" point of view) to average admin
who know how to setup IPv4 and know nothing about IPv6, and provide
minimum recommended configuration for IPv6 routing/firewall? I think
enabling IPv6 by default should begins from writing such docs.

--
WBR, Alex.
 
Old 06-26-2012, 04:25 AM
Matthew Thode
 
Default ipv6 on by default for hardened profile

On 06/25/2012 10:03 PM, Alex Efros wrote:
> Hi!
>
> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>>> I'm alerting users so that you can make whatever changes you like to
>>> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
>>> default ipv6 on all hardened profiles.
>> I use ipv6 on all my servers (not that everyone does). We will have to
>> enable it eventually, sooner is probably better then later I think.
>
> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> different routing tables and two different firewalls. Also, I suppose
> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
> may (and probably will!) result in creating new security holes until admin
> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
> And I suppose just trying to duplicate existing rules as is won't be
> enough because of new IPv6-specific features, which is absent in IPv4,
> and which should be additionally blocked/enabled too.
>
> If I'm right (about creating new security holes because of enabling ipv6
> USE flag) then it may be bad idea to enable it by default until we'll be
> sure admin is ready for this (for example, we may check is IPv6 enabled in
> kernel and is there exists IPv6 firewall rules).
>
> BTW, is there exists (Gentoo?) guides/howtos which explain these issues
> (preferably from "differences from IPv4" point of view) to average admin
> who know how to setup IPv4 and know nothing about IPv6, and provide
> minimum recommended configuration for IPv6 routing/firewall? I think
> enabling IPv6 by default should begins from writing such docs.
>
You do run into these issues, I think we need to do a news thing for the
hardened profiles if we go ahead and enable it.

--
-- Matthew Thode (prometheanfire)
 
Old 06-26-2012, 05:43 AM
Michael Orlitzky
 
Default ipv6 on by default for hardened profile

On 06/25/12 23:03, Alex Efros wrote:
>
> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> different routing tables and two different firewalls. Also, I suppose
> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
> may (and probably will!) result in creating new security holes until admin
> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
> And I suppose just trying to duplicate existing rules as is won't be
> enough because of new IPv6-specific features, which is absent in IPv4,
> and which should be additionally blocked/enabled too.

This is where I'm at -- being in the USA, I'll probably be long dead
before our upstream supports ipv6. I don't even know enough about ipv6
to know what I don't know, so the only safe course is to have it disabled.

It's easy enough to set USE="-ipv6" manually of course, but the same
argument works for USE="ipv6". So, I think the default should be what
most people want; i.e. what the fewest people will have to override. Do
most hardened machines use ipv6?
 
Old 06-26-2012, 06:26 AM
Jonny Kent
 
Default ipv6 on by default for hardened profile

On Jun 25, 2012, at 10:43 PM, Michael Orlitzky <michael@orlitzky.com> wrote:

> On 06/25/12 23:03, Alex Efros wrote:
>>
>> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
>> different routing tables and two different firewalls. Also, I suppose
>> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
>> may (and probably will!) result in creating new security holes until admin
>> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
>> And I suppose just trying to duplicate existing rules as is won't be
>> enough because of new IPv6-specific features, which is absent in IPv4,
>> and which should be additionally blocked/enabled too.
>
> This is where I'm at -- being in the USA, I'll probably be long dead
> before our upstream supports ipv6. I don't even know enough about ipv6
> to know what I don't know, so the only safe course is to have it disabled.
>
> It's easy enough to set USE="-ipv6" manually of course, but the same
> argument works for USE="ipv6". So, I think the default should be what
> most people want; i.e. what the fewest people will have to override. Do
> most hardened machines use
As an end user of hardened working in a California educational institution I note that my institution doesn't yet have either firewall or router rules stabilized for ipv6 yet and don't expect them for probably another 6 months so whatever is decided it will be off on the servers I administer.
Alex makes good points about the lack of expertise in ipv6 firewalls. Having ipv6 on by default would seem to be going against the spirit of the hardened profile since it opens systems to new attack vectors created unwittingly.
 
Old 06-26-2012, 07:38 AM
Darknight
 
Default ipv6 on by default for hardened profile

Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
- no scary (j/k) ipv6 enabled by default
- ipv6 enabled in a matter of seconds without need for an internet
connection


The news item and a word about the sysctl thing in the docs would be good.
 
Old 06-26-2012, 07:49 AM
Michael Orlitzky
 
Default ipv6 on by default for hardened profile

On 06/26/2012 03:38 AM, Darknight wrote:
> Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
> - no scary (j/k) ipv6 enabled by default
> - ipv6 enabled in a matter of seconds without need for an internet
> connection
>
> The news item and a word about the sysctl thing in the docs would be good.
>

Does this actually work, or does it cause half of the software compiled
with USE="ipv6" to crash?

Also, I don't think it's much easier than setting USE="-ipv6" =)
 

Thread Tools




All times are GMT. The time now is 09:43 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org