[gentoo-hardened] Adding ipv6 USE flag by default

[gentoo-hardened] Adding ipv6 USE flag by default

[Anthony G. Basile]

Hi everyone,

Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
profiles.  To be honest, I see no good reason.  I want to add it back.
Before I do, does anyone in the community know of any issues with
hardened + ipv6?  I don't know of any and all my servers have it
enables.  So, I'm going to add it back in about 1 week.


-- 
Anthony G. Basile, Ph.D.
Gentoo Developer

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Michael Orlitzky]

On 02/09/11 22:09, Anthony G. Basile wrote:
> Hi everyone,
> 
> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
> profiles.  To be honest, I see no good reason.  I want to add it back.
> Before I do, does anyone in the community know of any issues with
> hardened + ipv6?  I don't know of any and all my servers have it
> enables.  So, I'm going to add it back in about 1 week.
> 

I don't think there are any issues with it. The only argument I know of
is that it increases the attack surface for a feature that 0% + epsilon
of people use.

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Darknight]

2011-02-10 21:03:01 Michael Orlitzky
> On 02/09/11 22:09, Anthony G. Basile wrote:
> > Hi everyone,
> > 
> > Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
> > profiles.  To be honest, I see no good reason.  I want to add it back.
> > Before I do, does anyone in the community know of any issues with
> > hardened + ipv6?  I don't know of any and all my servers have it
> > enables.  So, I'm going to add it back in about 1 week.
> 
> I don't think there are any issues with it. The only argument I know of
> is that it increases the attack surface for a feature that 0% + epsilon
> of people use.

Tests done by a colleague show that, right now, the amount of inbound ipv6 
traffic on his systems is none but I can perfectly understand your concerns 
even if they should apply only to the network stack itself, as the daemons 
listening to v6 should be the same that listen to v4, once configured for dual 
stack.

Anyway, ipv6 has a chance to become relevant by the end of the year as China 
and India (among others) won't have quite enough v4 addresses in stock to 
support the growth of their networks.

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Anthony G. Basile]

On 02/11/2011 03:32 AM, Darknight wrote:
> 2011-02-10 21:03:01 Michael Orlitzky
>> On 02/09/11 22:09, Anthony G. Basile wrote:
>>> Hi everyone,
>>>
>>> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
>>> profiles.  To be honest, I see no good reason.  I want to add it back.
>>> Before I do, does anyone in the community know of any issues with
>>> hardened + ipv6?  I don't know of any and all my servers have it
>>> enables.  So, I'm going to add it back in about 1 week.
>>
>> I don't think there are any issues with it. The only argument I know of
>> is that it increases the attack surface for a feature that 0% + epsilon
>> of people use.
> 
> Tests done by a colleague show that, right now, the amount of inbound ipv6 
> traffic on his systems is none but I can perfectly understand your concerns 
> even if they should apply only to the network stack itself, as the daemons 
> listening to v6 should be the same that listen to v4, once configured for dual 
> stack.
> 
> Anyway, ipv6 has a chance to become relevant by the end of the year as China 
> and India (among others) won't have quite enough v4 addresses in stock to 
> support the growth of their networks.

This is precisely the point.  While on the one hand, it has little
current use and does potentially increase attack vectors, on the other
hand, ipv4 is depleted and ipv6 is on the horizon.

I looked at gentoo bugs for ipv6 and didn't find anything serious.  I'm
still leaning towards unmasking it.

-- 
Anthony G. Basile, Ph.D.
Gentoo Developer

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Ed W]

>> Tests done by a colleague show that, right now, the amount of inbound ipv6
>> traffic on his systems is none but I can perfectly understand your concerns
>> even if they should apply only to the network stack itself, as the daemons
>> listening to v6 should be the same that listen to v4, once configured for dual
>> stack.
>>
>> Anyway, ipv6 has a chance to become relevant by the end of the year as China
>> and India (among others) won't have quite enough v4 addresses in stock to
>> support the growth of their networks.
> This is precisely the point.  While on the one hand, it has little
> current use and does potentially increase attack vectors, on the other
> hand, ipv4 is depleted and ipv6 is on the horizon.
>
> I looked at gentoo bugs for ipv6 and didn't find anything serious.  I'm
> still leaning towards unmasking it.
>

It's the whole catch 22 that there isn't any traffic because it's not 
deployed and not deployed because there is no one to talk to...

I think we all have to transition to ipv6 quite quickly so the only 
sensible option is to bite the bullet and enable it.  I have it enabled 
on all my hardened servers...

I would have thought the sensible rollout strategy for organisations is 
to start gently with internal only deployments to get experience and 
gradually incorporate the rest of the internet as it becomes more 
common.  Hopefully in this way most problems will be limited to internal 
only at first...

Cheers

Ed W

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Tom Hendrikx]

[-- Attachment #1: Type: text/plain, Size: 2291 bytes --]

On 15/02/11 12:53, Ed W wrote:
> 
>>> Tests done by a colleague show that, right now, the amount of inbound
>>> ipv6
>>> traffic on his systems is none but I can perfectly understand your
>>> concerns
>>> even if they should apply only to the network stack itself, as the
>>> daemons
>>> listening to v6 should be the same that listen to v4, once configured
>>> for dual
>>> stack.
>>>
>>> Anyway, ipv6 has a chance to become relevant by the end of the year
>>> as China
>>> and India (among others) won't have quite enough v4 addresses in
>>> stock to
>>> support the growth of their networks.
>> This is precisely the point.  While on the one hand, it has little
>> current use and does potentially increase attack vectors, on the other
>> hand, ipv4 is depleted and ipv6 is on the horizon.
>>
>> I looked at gentoo bugs for ipv6 and didn't find anything serious.  I'm
>> still leaning towards unmasking it.
>>
> 
> It's the whole catch 22 that there isn't any traffic because it's not
> deployed and not deployed because there is no one to talk to...
> 
> I think we all have to transition to ipv6 quite quickly so the only
> sensible option is to bite the bullet and enable it.  I have it enabled
> on all my hardened servers...
> 
> I would have thought the sensible rollout strategy for organisations is
> to start gently with internal only deployments to get experience and
> gradually incorporate the rest of the internet as it becomes more
> common.  Hopefully in this way most problems will be limited to internal
> only at first...
> 

I am running 2 boxen with hardened gentoo with ipv6 enabled (one native,
one through a tunnel broker). I've seen no issues with ipv6 during
deployment or while running services.

A third box is ipv4 only, but was expected to get ipv6 connectivity
quite soon after deploymenty. I disabled ipv6 USE flag  and recompiled
all affected packages some time after delpoyment. The only reason to do
this was that logs were 'flooded' because applications tried to load the
net-pf-10 kernel module. There probably is a more elegant way to fix
that minor issue. I did not test a setup where the ipv6 kernel stuff is
enabled/loaded when connectivity is not available (other than in localhost).

--
Tom


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Matthew Thode]

[-- Attachment #1: Type: text/plain, Size: 2554 bytes --]

I can also verify that I used ipv6 to get the cert with he.net (with them as
the tunnel broker) for whatever that's worth.

-- Matthew Thode

On Tue, Feb 15, 2011 at 07:17, Tom Hendrikx <tom@whyscream.net> wrote:

> On 15/02/11 12:53, Ed W wrote:
> >
> >>> Tests done by a colleague show that, right now, the amount of inbound
> >>> ipv6
> >>> traffic on his systems is none but I can perfectly understand your
> >>> concerns
> >>> even if they should apply only to the network stack itself, as the
> >>> daemons
> >>> listening to v6 should be the same that listen to v4, once configured
> >>> for dual
> >>> stack.
> >>>
> >>> Anyway, ipv6 has a chance to become relevant by the end of the year
> >>> as China
> >>> and India (among others) won't have quite enough v4 addresses in
> >>> stock to
> >>> support the growth of their networks.
> >> This is precisely the point.  While on the one hand, it has little
> >> current use and does potentially increase attack vectors, on the other
> >> hand, ipv4 is depleted and ipv6 is on the horizon.
> >>
> >> I looked at gentoo bugs for ipv6 and didn't find anything serious.  I'm
> >> still leaning towards unmasking it.
> >>
> >
> > It's the whole catch 22 that there isn't any traffic because it's not
> > deployed and not deployed because there is no one to talk to...
> >
> > I think we all have to transition to ipv6 quite quickly so the only
> > sensible option is to bite the bullet and enable it.  I have it enabled
> > on all my hardened servers...
> >
> > I would have thought the sensible rollout strategy for organisations is
> > to start gently with internal only deployments to get experience and
> > gradually incorporate the rest of the internet as it becomes more
> > common.  Hopefully in this way most problems will be limited to internal
> > only at first...
> >
>
> I am running 2 boxen with hardened gentoo with ipv6 enabled (one native,
> one through a tunnel broker). I've seen no issues with ipv6 during
> deployment or while running services.
>
> A third box is ipv4 only, but was expected to get ipv6 connectivity
> quite soon after deploymenty. I disabled ipv6 USE flag  and recompiled
> all affected packages some time after delpoyment. The only reason to do
> this was that logs were 'flooded' because applications tried to load the
> net-pf-10 kernel module. There probably is a more elegant way to fix
> that minor issue. I did not test a setup where the ipv6 kernel stuff is
> enabled/loaded when connectivity is not available (other than in
> localhost).
>
> --
> Tom
>
>

[-- Attachment #2: Type: text/html, Size: 3345 bytes --]

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Alex Efros]

Hi!

On Fri, Feb 11, 2011 at 06:10:52PM -0500, Anthony G. Basile wrote:
> >> I don't think there are any issues with it. The only argument I know of
> >> is that it increases the attack surface for a feature that 0% + epsilon
> >> of people use.
> > Tests done by a colleague show that, right now, the amount of inbound ipv6 
> > traffic on his systems is none but I can perfectly understand your concerns 
> > even if they should apply only to the network stack itself, as the daemons 
> This is precisely the point.  While on the one hand, it has little
> current use and does potentially increase attack vectors, on the other
> hand, ipv4 is depleted and ipv6 is on the horizon.

Quick Google and CVE searches shows there was many enough vulnerabilities
in all OSes (including Linux) IPv6 stack implementations. And, as we all
know, most of vulnerabilities will be found only after product become
popular and wide used, which doesn't happens to IPv6 yet.

Keeping this in mind, I think it have sense to avoid enabling IPv6 by
default on hardened until IPv6 will be wide used/tested/hacked on
non-hardened systems for some time or until it become critical feature
required for normal operation on most servers.

This logic is same as for separating ~x86 and x86 profiles - hardened
profile shouldn't be used to test (for now) useless and potentially
vulnerable features.


P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on
secure server also mean doubling nearly all network configuration,
including firewall setup. And while it's well-known how to securely setup
network for IPv4, it still doesn't clear how to do same for IPv6 - both
because IPv6 is much more complex and feature-rich, and because there not
much information/howto available for IPv6 right now. So, I think it have
sense to prepare some documentation about IPv6-related configuration on
gentoo site and notify users with `eselect news` mechanism about it before
enabling default "ipv6" USE-flag in any profile.

-- 
			WBR, Alex.

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Matthew Thode]

[-- Attachment #1: Type: text/plain, Size: 2444 bytes --]

I run full dual stacked on my network at home just fine, ip6tables and
filtering at the gateway work for me.  As far as IPV6 specific
vulnerabilities, I think that would be the price to pay (if we decide to go
down this route).

-- Matthew Thode

On Tue, Feb 15, 2011 at 10:52, Alex Efros <powerman@powerman.name> wrote:

> Hi!
>
> On Fri, Feb 11, 2011 at 06:10:52PM -0500, Anthony G. Basile wrote:
> > >> I don't think there are any issues with it. The only argument I know
> of
> > >> is that it increases the attack surface for a feature that 0% +
> epsilon
> > >> of people use.
> > > Tests done by a colleague show that, right now, the amount of inbound
> ipv6
> > > traffic on his systems is none but I can perfectly understand your
> concerns
> > > even if they should apply only to the network stack itself, as the
> daemons
> > This is precisely the point.  While on the one hand, it has little
> > current use and does potentially increase attack vectors, on the other
> > hand, ipv4 is depleted and ipv6 is on the horizon.
>
> Quick Google and CVE searches shows there was many enough vulnerabilities
> in all OSes (including Linux) IPv6 stack implementations. And, as we all
> know, most of vulnerabilities will be found only after product become
> popular and wide used, which doesn't happens to IPv6 yet.
>
> Keeping this in mind, I think it have sense to avoid enabling IPv6 by
> default on hardened until IPv6 will be wide used/tested/hacked on
> non-hardened systems for some time or until it become critical feature
> required for normal operation on most servers.
>
> This logic is same as for separating ~x86 and x86 profiles - hardened
> profile shouldn't be used to test (for now) useless and potentially
> vulnerable features.
>
>
> P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on
> secure server also mean doubling nearly all network configuration,
> including firewall setup. And while it's well-known how to securely setup
> network for IPv4, it still doesn't clear how to do same for IPv6 - both
> because IPv6 is much more complex and feature-rich, and because there not
> much information/howto available for IPv6 right now. So, I think it have
> sense to prepare some documentation about IPv6-related configuration on
> gentoo site and notify users with `eselect news` mechanism about it before
> enabling default "ipv6" USE-flag in any profile.
>
> --
>                        WBR, Alex.
>
>

[-- Attachment #2: Type: text/html, Size: 3015 bytes --]

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Michael Orlitzky]

On 02/15/2011 10:52 AM, Alex Efros wrote:
> Hi!
> 
> Quick Google and CVE searches shows there was many enough vulnerabilities
> in all OSes (including Linux) IPv6 stack implementations. And, as we all
> know, most of vulnerabilities will be found only after product become
> popular and wide used, which doesn't happens to IPv6 yet.
> 
> Keeping this in mind, I think it have sense to avoid enabling IPv6 by
> default on hardened until IPv6 will be wide used/tested/hacked on
> non-hardened systems for some time or until it become critical feature
> required for normal operation on most servers.
> 
> This logic is same as for separating ~x86 and x86 profiles - hardened
> profile shouldn't be used to test (for now) useless and potentially
> vulnerable features.
> 
> 
> P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on
> secure server also mean doubling nearly all network configuration,
> including firewall setup. And while it's well-known how to securely setup
> network for IPv4, it still doesn't clear how to do same for IPv6 - both
> because IPv6 is much more complex and feature-rich, and because there not
> much information/howto available for IPv6 right now. So, I think it have
> sense to prepare some documentation about IPv6-related configuration on
> gentoo site and notify users with `eselect news` mechanism about it before
> enabling default "ipv6" USE-flag in any profile.
> 

I tend to agree; it's not like ipv6 is disabled, it's just off by
default. My biggest concern however is for the people who run apache,
postfix, dovecot, etc. with the equivalent of,

  listen = *

who will suddenly be listening on ipv6 addresses (and possibly not know
it) after a recompile. Are all these ipv6-listening services secure? Who
knows, because no one's using them.

The default unconfigured state is probably safe from the network, but I
wouldn't be able to say for sure unless I spent a couple of weeks
bringing myself up to speed on ipv6.

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[David Sommerseth]

On 15/02/11 16:52, Alex Efros wrote:
[...snip...]
> 
> Keeping this in mind, I think it have sense to avoid enabling IPv6 by
> default on hardened until IPv6 will be wide used/tested/hacked on
> non-hardened systems for some time or until it become critical feature
> required for normal operation on most servers.

IMHO, this logic doesn't really make sense.  This is a backwards attitude.
 IPv6 will come for sure, we *need* to implement it.  Not enabling it now,
will just postpone these security issues further.  It's better to flush out
those security issues ASAP before even more people uses it.

Also consider that most distributions (including
RHEL/CentOS/ScientificLinux 5 - with 2.6.18 based kernels) ships with IPv6
enabled.  In addition security issues gets found and fixed quicker with
broader usages.  In most distros security fixes gets included rather
quickly, even into the upstream kernels and applications, no matter IPv4 or
IPv6.

[...snip...]
> P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on
> secure server also mean doubling nearly all network configuration,
> including firewall setup. And while it's well-known how to securely setup
> network for IPv4, it still doesn't clear how to do same for IPv6 - both
> because IPv6 is much more complex and feature-rich, and because there not
> much information/howto available for IPv6 right now.

This is much more fear of something new.  IPv6 is a different protocol, but
when using it, it behaves very much the same as IPv4.  You just need to use
ip6tables instead of iptables to do filtering, and the addresses look
differently.

For those really not ready to dive into the IPv6 world yet, they should
rather compile their kernel without IPv6 support or blacklist the ipv6
kernel module.  Then, no IPv6 traffic will be tackled.  And all the user
space can still be IPv6 enabled.

> So, I think it have
> sense to prepare some documentation about IPv6-related configuration on
> gentoo site and notify users with `eselect news` mechanism about it before
> enabling default "ipv6" USE-flag in any profile.

Documentation is *always* a good thing.  So improving documentation related
to IPv6 is not a bad thing.

<rant>
But the fact is, which many have not understood:  IPv6 simplifies networks
much more than complicates it.

- There is no netowork address (like 192.168.0.0 for 192.168.0.0/24)

- There is no broadcast address (like 192.168.0.255)

- There is no 127.0.0.0/8 localhost subnet - only ::1

- There is no NAT - only public IP addresses - which needs to be filtered

- Automatic stateless and stateful configuration (if using radvd or DHCPv6)

- Manual IPv6 is still an option for those wanting that

- Subnetting a /48 or /56 subnet is very easy.
  {your IPv6 prefix}:{your subnet address} - which gives you a /64 subnet
  for your network zone ... and you basically don't need to think about
  any other network masks.  A /48 subnet gives you 0000 to FFFF as valid
  subnet addresses after your IPv6 prefix from your ISP.  A /56 subnet
  gives 00 to FF as valid subnet address.  And just think about it ... /48
  leaves space for 16 bits for subnetting, so 48 + 16 = 64, hence /64.
  And the same for 56 + 8 = 64.  There is really no big magic.  8 bits
  gives you values 00-FF, 16 bits gives you 0000-FFFF.  And the ISP prefix
  defines your IPv6 address scope.  You can do whatever you'd like with
  that.

The only tricky thing is that you need to enable some ICMPv6 traffic on
your internal networks.  But if you just open up for all ICMPv6 on internal
interfaces, you're practically good to go.

Routing is exactly the same as on IPv4.  You need to either use 'ip -6
route' or 'route -6' so modify the IPv6 routing table.

So the biggest difference, is basically the new addressing scheme, with 128
bits available instead of 32bits.  That's all, from the users perspective.

What probably should be done is to enable a default IPv6 iptables config
which is loaded by default ... which just sets default policy to DROP on
INPUT, FORWARD and OUTPUT ... that way, users need to modify the ip6tables
rules to gain access.  That way we won't take anyone by surprise.

This is really not rocket science!  Even though it might feel so in the
beginning.  But take of your IPv4 hat, and accept that IPv6 is simpler to
setup - and you'll get far very quickly.
</rant>


But my core message is, enable IPv6 in all packages asap.  Blocking IPv6
should not be done on application level.  That should happen on the kernel
level.


kind regards,

David Sommerseth

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[klondike]

[-- Attachment #1: Type: text/plain, Size: 3094 bytes --]

El 15/02/11 16:52, Alex Efros escribió:
> Hi!Quick Google and CVE searches shows there was many enough vulnerabilities
> in all OSes (including Linux) IPv6 stack implementations. And, as we all
> know, most of vulnerabilities will be found only after product become
> popular and wide used, which doesn't happens to IPv6 yet.
/me looks:
"Summary: The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux
kernel before 2.6.32.4, when network namespaces are enabled, allows
remote attackers to cause a denial of service (NULL pointer dereference)
via an invalid IPv6 jumbogram, a related issue to CVE-2007-4567."
Hardened kernels with UDEREF aren't vulnerable, also it was more than a
year ago.

"The selinux_parse_skb_ipv6 function in security/selinux/hooks.c in the
Linux kernel before 2.6.12-rc4 allows remote attackers to cause a denial
of service (OOPS) via vectors associated with an incorrect call to the
ipv6_skip_exthdr function."
"The ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux
kernel before 2.6.27 does not properly handle certain circumstances
involving an IPv6 TUN network interface and a large number of neighbors,
which allows attackers to cause a denial of service (NULL pointer
dereference and OOPS) or possibly have unspecified other impact via
unknown vectors."
"Use-after-free vulnerability in net/ipv4/tcp_input.c in the Linux
kernel 2.6 before 2.6.20, when IPV6_RECVPKTINFO is set on a listening
socket, allows remote attackers to cause a denial of service (kernel
panic) via a SYN packet while the socket is in a listening (TCP_LISTEN)
state, which is not properly handled and causes the skb structure to be
freed."
Old kernels
"The mipv6 daemon in UMIP 0.4 does not verify that netlink messages
originated in the kernel, which allows local users to spoof netlink
socket communication via a crafted unicast message."
Not even linux.

On apps:
"Summary: The DHCPv6 server in ISC DHCP 4.0.x and 4.1.x before 4.1.2-P1,
4.0-ESV and 4.1-ESV before 4.1-ESV-R1, and 4.2.x before 4.2.1b1 allows
remote attackers to cause a denial of service (assertion failure and
daemon crash) by sending a message over IPv6 for a declined and
abandoned address."
A DOS due to an assertion, bad but not SO bad. Anyway I doubt any
security focused person will use DHCP if avoidable.

"Summary: dns_internal.cc in Squid 3.1.6, when IPv6 DNS resolution is
not enabled, accesses an invalid socket during an IPv4 TCP DNS query,
which allows remote attackers to cause a denial of service (assertion
failure and daemon exit) via vectors that trigger an IPv4 DNS response
with the TC bit set." Bad yet not SO bad too, another DOS.

Seriously I don't see any serious sec problem for hardened users in
there which can't be solved by just not allowing ipv6 traffic/disabling
the ipv6 stack from the kernel.
Other than that I agree, the main difference I found is the lack of some
sort of NAT to hide addresses but other than that ipv6 is not that
different of ipv4 with a few extensions which are also there for ipv4.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Chris Frederick]

On 02/09/11 21:09, Anthony G. Basile wrote:
> Hi everyone,
> 
> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
> profiles.  To be honest, I see no good reason.  I want to add it back.
> Before I do, does anyone in the community know of any issues with
> hardened + ipv6?  I don't know of any and all my servers have it
> enables.  So, I'm going to add it back in about 1 week.

Hi everyone,

I'll chime in on this one.  I want to clarify what is being asked, and add my two cents.

If you're asking if there are any issues with enabling the ipv6 use flag on the hardened profile, then I haven't run into any.  All packages
that I've used have compiled and worked as expected.  If you're asking if there are any security issues with ipv6 that would effect the hardened
profile, then I would have to say yes.  The hardened profile is intended to be a security focused profile, and adding ipv6 on by default would
cause many issues with unprepared users.

Considering that ipv6 is auto-configured by default, and a rouge system can attach itself to a network as a ipv6 router, this is a major concern
for users that are unfamiliar with the protocol.  Now add that several common packages install with the default configurations of listen on
every interface, and the Netfilter firewall separates ipv4/ipv6 with iptables and ip6tables with ip6tables default ALLOW policy, an unprepared
user could find their network completely unprotected.

A really good example of this is dev-db/mysql, which can be configured to listen on a single address, or all addresses.  If database access is
needed from a remote system, there's a good chance that it is configured to listen on all addresses.  If you enable ipv6, you may end up adding
three or more addresses to the mix for link (fe80::/10), local (fc00::/7), and global scopes.  If you want to run dual stack with your current
ipv4 address plus a fc00::/7 address then you have to listen on all and rely on database/firewall ACLs for protection.  In my opinion this shows
that dev-db/mysql simply isn't ipv6 ready.  Now there are many other packages that work very well with binding to specific addresses, but a lot
of those are documented to encourage the use of the "listen on all" mentality, and most will default to this mode.

I think the current default of turning the ipv6 use flag off is best.  It's not disabled, it's just off.  It will need to be defaulted on at
some point, but I don't think we are there yet.  If a user wants to "brave the ipv6 waters" then let them, there's a lot to learn.  I would
recommend paging through some of the on-line documentation (HOWTOs and wiki at least) and see if we could add some better configuration
examples, or advice for those using dual stack setups, before ipv6 is defaulted on.

That's my thoughts on it.

Chris

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Anthony G. Basile]

On 02/15/2011 02:12 PM, Chris Frederick wrote:
> Hi everyone,
> 
> I'll chime in on this one.  I want to clarify what is being asked, and add my two cents.

Okay, I don't think there was a consensus on this issue, so I'm sure to
make someone unhappy.  I think for now, we'll leave the status quo, ie
ipv6 off by default.

If it had been a question of whether or not ipv6 would be included in
hardened, then the issue would have been obvious.  We must have ipv6.
But the question was, do we enable or disable it *by default*.  Those
that wish can always switch it on so nothing is ultimately lost.

The question came up because of the latest news about ipv4 address space
being depleted, so we know ipv6 is coming.  When ipv6 use becomes
significant, we'll revisit the issue.

(And please don't ask me what significant mean!  I'm not even sure myself :)

-- 
Anthony G. Basile, Ph.D.
Gentoo Developer

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Aaron W. Swenson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/19/2011 12:02 PM, Anthony G. Basile wrote:
> On 02/15/2011 02:12 PM, Chris Frederick wrote:
>> Hi everyone,
>>
>> I'll chime in on this one.  I want to clarify what is being asked, and add my two cents.
> 
> Okay, I don't think there was a consensus on this issue, so I'm sure to
> make someone unhappy.  I think for now, we'll leave the status quo, ie
> ipv6 off by default.
> 
> If it had been a question of whether or not ipv6 would be included in
> hardened, then the issue would have been obvious.  We must have ipv6.
> But the question was, do we enable or disable it *by default*.  Those
> that wish can always switch it on so nothing is ultimately lost.
> 
> The question came up because of the latest news about ipv4 address space
> being depleted, so we know ipv6 is coming.  When ipv6 use becomes
> significant, we'll revisit the issue.
> 
> (And please don't ask me what significant mean!  I'm not even sure myself :)
> 

How about we shoot for World IPv6 Day? [1] Since everyone else will be
doing their test runs that day I think we should, too.

Additionally, amongst all the shouting of insecurity, the potential for
the improved security offered by IPv6 has been ignored, such as IPsec.
[2] The specification for 'link-local' (fe80::/16) pretty much behaves
in the same manner as 192.168.0.0/16 and 10.0.0.0/8 because of its built
in Hop Limit restriction and requirement that routers never forward an
fe80::/16 packet. [3] Additionally, the potential for improved
performance through jumbograms [4] and PMTU Discovery. [5] Not to
mention reduced hardware requirements to calculate checksums, which are
no longer necessary.

As some have pointed out, all that's really required to disable IPv6
support is to just not include the IPv6 stack in the kernel. Somebody
accidentally including it is unlikely for business production, so I
don't understand the concern there. (And those who aren't so security
conscious probably aren't running servers anyway.) Additionally, the
greater percentage of people who have Internet access must still wait
for the support to come or have to specifically request IPv6 support.
(My ISP, Verizon, has only now really begun working on offering IPv6 and
they say it'll take 18 months to implement.) Finally, the primary
Internet router must support IPv6. There's a lot of intentional setup
that goes into making IPv6 not only work but be viable on a network. A
simple flip of a USE flag isn't going to magically turn everything on
its ear and expose everyone to great risk.

Lastly, let's not forget the fact that a good portion of the stable
software packages available in the Portage tree, and run by a good
portion of the Gentoo user base, already incorporate IPv6 support with
no means other than less than trivial modifications of the source code
to disable it. (e.g., PostgreSQL, Apache and Firefox) Optional support
of IPv6 is rapidly disappearing from the tree as it is anyway. We might
as well expect it to come regardless of our wishes for a different time
frame. Indeed, it is here already in some of the more important and
popular packages.

Sincerely,
Mr. Aaron W. Swenson

[1] http://isoc.org/wp/worldipv6day/
[2] http://tools.ietf.org/html/rfc2460
[3] http://tools.ietf.org/html/rfc4291#section-2.5.6
[4] http://tools.ietf.org/html/rfc2675
[5] http://tools.ietf.org/html/rfc1981
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk1hsGUACgkQCOhwUhu5AEmiIgD+Nx1EGin9Xdej0ELMue7Jwqg9
H47cjKCGZnbI3dQmmP8A/jEp9q313ESxEk0cuo1WwfkJDoi4h6lbi4aKwpcq8LRx
=NxgI
-----END PGP SIGNATURE-----

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[Thomas Sachau]

[-- Attachment #1: Type: text/plain, Size: 2021 bytes --]

Am 21.02.2011 01:23, schrieb Aaron W. Swenson:
> On 02/19/2011 12:02 PM, Anthony G. Basile wrote:
>> On 02/15/2011 02:12 PM, Chris Frederick wrote:
>>> Hi everyone,
>>>
>>> I'll chime in on this one.  I want to clarify what is being asked, and add my two cents.
> 
>> Okay, I don't think there was a consensus on this issue, so I'm sure to
>> make someone unhappy.  I think for now, we'll leave the status quo, ie
>> ipv6 off by default.
> 
>> If it had been a question of whether or not ipv6 would be included in
>> hardened, then the issue would have been obvious.  We must have ipv6.
>> But the question was, do we enable or disable it *by default*.  Those
>> that wish can always switch it on so nothing is ultimately lost.
> 
>> The question came up because of the latest news about ipv4 address space
>> being depleted, so we know ipv6 is coming.  When ipv6 use becomes
>> significant, we'll revisit the issue.
> 
>> (And please don't ask me what significant mean!  I'm not even sure myself :)
> 
> 
> How about we shoot for World IPv6 Day? [1] Since everyone else will be
> doing their test runs that day I think we should, too.
> <snip>

I suggest, you respect the decision of the hardened team and stop arguing against it after the
decision was made. The ipv6 USE flag and only the USE flag is not by default enabled. And please
read this carefully: _not by default enabled_. Nothing prevents anyone to default enable it in their
make.conf, in any package.use file/dir or whereever they want.

This is just a default setting for a profile, which aims at minimal set of default enabled USE
flags. And in addition, currently ipv4 is still the default and almost noone has by default a native
ipv6 connection, so it does not even make sense to enable that USE flag by default.

So with this conclusion, i fully support the decision of blueness and thank him for his good work
for and with the hardened profile of Gentoo Linux.

-- 
Thomas Sachau

Gentoo Linux Developer


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 316 bytes --]

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[klondike]

[-- Attachment #1: Type: text/plain, Size: 2177 bytes --]

El 21/02/11 21:34, Thomas Sachau escribió:
> Am 21.02.2011 01:23, schrieb Aaron W. Swenson:
>> On 02/19/2011 12:02 PM, Anthony G. Basile wrote:
>>> On 02/15/2011 02:12 PM, Chris Frederick wrote:
>>>> Hi everyone,
>>>>
>>>> I'll chime in on this one.  I want to clarify what is being asked, and add my two cents.
>>> Okay, I don't think there was a consensus on this issue, so I'm sure to
>>> make someone unhappy.  I think for now, we'll leave the status quo, ie
>>> ipv6 off by default.
>>> If it had been a question of whether or not ipv6 would be included in
>>> hardened, then the issue would have been obvious.  We must have ipv6.
>>> But the question was, do we enable or disable it *by default*.  Those
>>> that wish can always switch it on so nothing is ultimately lost.
>>> The question came up because of the latest news about ipv4 address space
>>> being depleted, so we know ipv6 is coming.  When ipv6 use becomes
>>> significant, we'll revisit the issue.
>>> (And please don't ask me what significant mean!  I'm not even sure myself :)
>>
>> How about we shoot for World IPv6 Day? [1] Since everyone else will be
>> doing their test runs that day I think we should, too.
>> <snip>
> I suggest, you respect the decision of the hardened team and stop arguing against it after the
> decision was made. The ipv6 USE flag and only the USE flag is not by default enabled. And please
> read this carefully: _not by default enabled_. Nothing prevents anyone to default enable it in their
> make.conf, in any package.use file/dir or whereever they want.
I don't know what the rest of the hardened team thinks, but at least I
advocate for everybody to have a saying in this kind of discussions as
even if the decision has been taken it is not always late enough to
change it if it is a bad one. Seeing the discussion you can see that
Aaron hasn't participated before and was just sharing his point of view,
I don't see where the problem with that. In fact he was exposing some
data which had not been provided in the discussion prior to the
announcement.

Again it is just my opinion so feel free to correct me if you feel I'm
wrong.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] Adding ipv6 USE flag by default

[schism]

On Sat, Feb 19, 2011 at 12:02:20PM -0500, Anthony G. Basile wrote:
| On 02/15/2011 02:12 PM, Chris Frederick wrote:
| > Hi everyone,
| > 
| > I'll chime in on this one.  I want to clarify what is being asked, and add my two cents.
| 
| Okay, I don't think there was a consensus on this issue, so I'm sure to
| make someone unhappy.  I think for now, we'll leave the status quo, ie
| ipv6 off by default.

Here's an issue I've found with ipv6, and not necessarily hardened: upsd
fails to start if it can't autoload net-pf-10.  Since in hardened we
have the ability to disable module autoloading and I've used that to
prevent my apps from emitting ipv6 I wasn't yet in control of, it was
definitely an edge case hardened helped find.  That particular app
(sys-power/nut) doesn't even have an ipv6 USE flag.

Re: [gentoo-hardened] Adding ipv6 USE flag by default

["Tóth Attila"]

I've been running nut & upsd without ipv6 (either in kernel or userland)
for ages on Hardened x86.

Regards:
Dw.
-- 
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2011.Február 21.(H) 19:34 időpontban schism@subverted.org ezt írta:
> On Sat, Feb 19, 2011 at 12:02:20PM -0500, Anthony G. Basile wrote:
> | On 02/15/2011 02:12 PM, Chris Frederick wrote:
> | > Hi everyone,
> | >
> | > I'll chime in on this one.  I want to clarify what is being asked, and
> add my two cents.
> |
> | Okay, I don't think there was a consensus on this issue, so I'm sure to
> | make someone unhappy.  I think for now, we'll leave the status quo, ie
> | ipv6 off by default.
>
> Here's an issue I've found with ipv6, and not necessarily hardened: upsd
> fails to start if it can't autoload net-pf-10.  Since in hardened we
> have the ability to disable module autoloading and I've used that to
> prevent my apps from emitting ipv6 I wasn't yet in control of, it was
> definitely an edge case hardened helped find.  That particular app
> (sys-power/nut) doesn't even have an ipv6 USE flag.
>