DHCPv6 *still* broken for F17 alpha

Chuck Anderson cra at WPI.EDU
Thu Mar 1 21:30:46 UTC 2012 

On Thu, Mar 01, 2012 at 03:43:50PM -0500, Chuck Anderson wrote:
> > There will be a dhcpv6 service entry for firewalld soon and later on  
> > also for system-config-firewall.
> >
> > Where how and when it will and could be enabled will be evaluated.
> 
> I'm going to have to chime in and say we /really/ need this in the
> default /etc/sysconfig/ip6tables sooner rather than later.  I would
> hope that this could be done immediately (for F17+), rather than
> waiting for the related firewalld and system-config-firewall changes
> to be "evaluated".  Who does this "evaluation" and how do I contribute
> to that discussion?

If anyone would like to follow the development of the kernel module,
it is here:

http://marc.info/?l=netfilter-devel&m=132884104228530&w=2

It seems that there are several different opinions being floated:

1. Distributors don't want to have to add firewall rules to allow
   replies to client-initiated traffic, and would rather have a
   connection tracking kernel module handle it automatically.

As of a couple days ago, just such a kernel module is now ready to be
merged, BUT:

2. Kernel developers don't want to bloat the kernel with conntrack
   helpers for each specific broadcast- and multicast-based protocol.
   They would rather have a user-space helper do it, which will be
   available "just around the corner".

So here we sit and wait (for several YEARS) for the DHCPv6 Client to
work out-of-the-box on Fedora, a supposedly leading, trend-setting
distro/OS (it already works out-of-the-box on Ubuntu, MacOS, Windows,
OpenWRT) while people have philosophical discussions on how to solve
the security "problem" 100%.

Meanwhile the DHCPv4 Client bypasses netfilter completely (due to its
use of raw sockets) and so it doesn't have to live up to the same
strict standards of security that are being imposed on DHCPv6, just at
the critical time when we need DHCPv6 to work.

Please, let us have an interim solution so we don't have to wait two
more years for that last 10% of security perfection which takes 90% of
the time...  Two years ago was the time to block for a perfect
solution, not now.  Fedora 17 needs this.

Thanks.

More information about the devel mailing list