Proposal: Fedora should install with IPv6 disabled by default [was: Re: Disabling ipv6]

Sun Jul 14 07:14:11 UTC 2013

>
> i disagree also that it should be default disabled
> *but* it should be disabled if you are on a network
> with only a DHCP4 server and no DHCP6 or if you
> have a static configuration without ipv6
>
> currently you get a link-local address
>

This is by design. And with ipv6 incoming (big in Asia and basis ISPs are
beginning to enabled it now for home users in the US such as Comcast.
Windows will work out of the box. MacOSX will work out of the box. Fedora
(or Ubuntu etc) also need to work out of the box.

> > IPv6 is designed to be autoconfiguring
>
> and *that* is a problem inside a ipv4 only LAN
>

Not if you are sane with your policies as an admin anyway.

>
> "locally" is enough
>
> a) nowadyas many attacks are coming from inside the LAN
>

True internal attacks are a problem. But layer 2 (remember fe80:: is local
link only and cannot be routed) are rarer... Psychical security to prevent
layer 2 access in the first place is important. In addition do you systems
get sufficiently tight on their iptables configurations that you are
manually listing IP addresses that are allowed to ssh in? If you are being
that controlling it would be trivial to configure ip6tables to reject or
drop all packets via the similar methods you are controlling iptables. If
you are not being that controlling then this point is moot since the
default ip6tables only allows ssh and related/established connections just
like iptables.

> b) you may be vulnerable if a foreign device comes up with
>   ipv6, your firewalls only configured for ipv4 and your
>   server got a link-local ipv6
>

Why do you have a foreign service appear on your local link? The same
physical and layer 2 thoughts apply. This is essentially point a again and
the detail in there stands.

> c) services and applications may see the link-local address
>    and think "hey i can fully operate with ipv6" which is
>    not true
>

Then file a bug for that application. The RFCs are very clear with the
prefixes well established. An fe80:: address is link local only and an
application that sees this address and no 2000::/3 address should not think
they have a global address and attempt to use it... The situation is
admittedly blurred when ULA addressing comes into play but at that point
you have made ipv6 configuration and policy choices which should take
things like this into account when doing so.

> no - if you are a sane admin you do not want *anything* enabled
> which does not match the big picture of the environment
>

A sane admin is aware of emerging technologies and the requirements
surrounding them in order to adapt as new things come along.

> keep in mind that there are environemnts far outside the
> single workstation and security is *always* the big picture
> of the complete environment and the weakest piece defines
> your overall security

And I will repeat that we are talking link local addresses here...
Ip6tables is a trivial easy way to block ipv6 communication in a same
manner you presumably already manage iptables since the scope of this bit
is the context of large environments whereupon you are talking probably
smaller broadcast domains to begin with (ie a vlan per floor of building or
something similar) and that the same layer 2 security for your network
applies...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130714/466f44d5/attachment.html>