On 25/06/2012 12:08, Anthony G. Basile wrote:
> Hi everyone,
>
> We visited this issue during the first ipv6 global day and I asked the
> masses: do you want ipv6 on by default or not. There was lots of back
> and forth and since it was only a question of default, I left the
> status quo, which is off by default.
>
> But now the ipv6 pressures mount! Diego has made a good argument that
> deploying hardened in an ipv6 only environment is a real pita. You
> can't get the goodies you need to bootstrap into an ipv6 only
> environment. With the growth in ipv6, I think it is time.
>
> I'm alerting users so that you can make whatever changes you like to
> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
> default ipv6 on all hardened profiles.
ACK
There are plenty of reasons to argue for/against, but the big day when
large numbers of servers finally need to be IPV6 aware is coming. Lets
start getting our house in order.
Probably some notes on disabling ipv6 on a given machine would be
helpful, eg:
- iptables6 default drop
- iptables6 reject
- sysctl
- blacklist kernel module or build kernel without support
- kernel command line option (useful when not modular kernel)
Whilst we have the luxury of ipv6 being relatively unprobed and attacks
being relatively unusual and light, lets start getting the groundwork
developed for a default secure gentoo ipv6 system.
Lets switch ipv6 on by default
Cheers
Ed W
> Hi everyone,
>
> We visited this issue during the first ipv6 global day and I asked the
> masses: do you want ipv6 on by default or not. There was lots of back
> and forth and since it was only a question of default, I left the
> status quo, which is off by default.
>
> But now the ipv6 pressures mount! Diego has made a good argument that
> deploying hardened in an ipv6 only environment is a real pita. You
> can't get the goodies you need to bootstrap into an ipv6 only
> environment. With the growth in ipv6, I think it is time.
>
> I'm alerting users so that you can make whatever changes you like to
> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
> default ipv6 on all hardened profiles.
ACK
There are plenty of reasons to argue for/against, but the big day when
large numbers of servers finally need to be IPV6 aware is coming. Lets
start getting our house in order.
Probably some notes on disabling ipv6 on a given machine would be
helpful, eg:
- iptables6 default drop
- iptables6 reject
- sysctl
- blacklist kernel module or build kernel without support
- kernel command line option (useful when not modular kernel)
Whilst we have the luxury of ipv6 being relatively unprobed and attacks
being relatively unusual and light, lets start getting the groundwork
developed for a default secure gentoo ipv6 system.
Lets switch ipv6 on by default
Cheers
Ed W