Disabling ipv6

Fernando Lozano fernando at lozano.eti.br
Fri Jul 12 15:21:45 UTC 2013


>> NAT is a fact today, has been for years, and people have been using
>> Bittorrent and Skype regardless.
> And sometimes they (and other applications) don't work, because of
> things like layered NAT.
Fix NAT issues instead of ditch it altogether.

>> For home users and SMBs, NAT is something that was taken care of.
>> IPv6 is a whole new bunch of risks. I am not against IPv6 per se. I
>> am against wide use of IPv6 right now. Let it mature.
> How will it "mature" if nobody tries it?  Fedora is a leading-edge
> operating system, and full IPv6 support is part of that.
Fedora servers many different kinds of users, some of then are not 
network people and would be hurt by current IPv6 problems. The network 
people can enable IPv6, other should't have to disable it. That's the 
same principle as don't let TCP ports open by default on iptables.

>>> As IPv4 runs out, some ISPs are turning to "Carrier Grade NAT", which
>>> adds layers of NAT that break things like P2P applications and IPSec.
>> I'll happily trade IPSec for OpenVPN. ;-)
> That's nice, but in the real world, users have to connect to VPNs
> configured by others (and many businesses need hardware VPN
> concentrators, which OpenVPN won't work with).
In the real world, ISPs should fix their Carrier Grande NAT. There are 
lots of ways wrong network configs can 0impact apps.

>> To just use the network they need only IPv4.
> That is not true in some places (and the number of such places is
> increasing all the time).
Defaults should focus most users, not the exceptions. When most users 
need IPv6, it's ok to have it enabled by default.

Plese note I ain't proposing removing IPv6 support from the Fedora Linux 
Kernel. I'm just proposing the default network configurations should 
have IPv6 disabled, and those who want to use it should have to take 
action (just click a checkbox) to enable.

>> They don't need the
>> security risks that current IPv6 implementation and default
>> configurations adds. Today, IPv6 is far from "just works". You are
>> advocating using all end users as guiena pigs for IPv6 evolution. I
>> advocate evolving IPv6 before exposing end users to ti.
> You are several years behind the curve on IPv6.
> You keep talking about IPv6 security risks (over IPv4), but haven't
> cited any.
Please see my other message about them, won't repeat the links here. You 
could just google "IPv6 security risks" to see articles from the current 
year about then. And follow IETF RFCs to see how many proposals about 
them are in Draft and not implement by most products yet. PLease don't 
assume people who disagree with you no clue what they are talking about.

> IPv6 does "just work" in many places; there are a lot of people that are
> using IPv6 and don't even know it
And those are exposed to the security risks. We haven't see a 
high-profile (media coverage) IPv6 attach yet just because so few peple 
actually use it that it's not very attractive to hackers. But as ISPs 
move on implements proper IPv6 support (without tunnels internally) 
those ISP users are becoming so vulnerable.

> Whether you like it or not, IPv6 is here today and is here to stay.
> There is no practical alternative.  Will there be bugs?  Yes, of course;
> people are still finding IPv4 bugs as well.
Will tell again: I'm bot against IPv6 per se. I agree it has to be 
deployed. But I can't agree using end users and SMBs as guinea pigs, 
waiting to see how hackers use it to create new attacks. Let the big 
companies work this before giving IPv6 enabled by default in Fedora, 
Windows, Mac and other OSes.

[]s, Fernando Lozano

More information about the users mailing list