On Mon, Apr 28, 2014 at 09:43:40AM +0200, Jeroen Massar wrote: > Note that there are a variety of forums that are a much better place > than a Debian mtr package bug report for these kind of questions.
I'm not asking for help. I'm trying to communicate that I think that disabling IPV6 is a valid configuration. I fully agree with the decisions "upstream" in debian to enable IPV6. But you should respect those that may have reasons to disable it. > On 2014-04-28 09:08, Rogier Wolff wrote: > > I personally have a good understanding of IPV4 and how I've secured my > > network against attacks from outside. I know what I'm doing. This > > means that I make decisions about what to protect against and what I > > won't protect against. > > > > I have decided that I will have "fence security": I protect the > > outside, I do not put any effort into protecting my machines from an > > attacker who is able to access my network. (either by physically > > plugging in or by getting control over a machine on my network). > > If your assumption is that, then you are 'safe' with the default > settings provided by Debian. > > Unless somebody sets up a router advertisement to announce a prefix (for > which they need local access to the network), your host will only have a > link-local (fe80::/10) address, which means the adversary has local > access to your network. I could look this up in under 60 seconds. But I haven't. So when my machine asks for an IPV6 address on the link it gets one. If I'd look it up I'd see it was a link-local address. I'm guessing similar to the 192.168.x.y that I'm using for IPV4 that they won't work outside my home network. So how do I know that when I boot tomorrow my machine won't get a routable IPV6 address? I don't. > > Now this fancy IPV6 comes along. I've been pusing my hosting provider > > for an IPV6 address so that I can gain some experience. > > Chose with your money. If they do not get the picture in 2014, they will > never get it. I don't have extra money and time to spare to "push" issues like this. If they decide for their clients that "without IPV6" I will be able to manage for now, I'm not going to research or doubt that decisison. I respect their decision. Life is short. There are a lot of things in this world that I don't have the time to learn. There are a lot of things /wrong/ in this world that I don't have the time to worry about or change. I'm chosing my battles. I'm not into poltics, I'm into technical things. And even then I choose my battles. The "we need to switch to IPV6 NOW" crowd lost credibility with me when they announced "we'll have serious trouble in XXX time when we'll run out of IPV4 addresses". This was announced three years in a row, with XXX always less than 12 months. I haven't heard about the IPV4 addresses running out for about a year now. Is the new announcement going out soon, or did I miss one? > > The little I know about IPV6 is that there won't be a need to > > "masquerade" like we do now. Well, that masquerading is part of my > > security strategy. > > The part that 'masquerading' adds in your 'security strategy' is > connection tracking. Not the actual act of translating addresses; they > actually make your box wide open. The masquerading part helps my security: My machine thinks its address is 192.168.x.y, and besides people on or very close to my network, nobody will be able to get packets with that addres to travel to my machine. What is "they" referring to in "they actually make..."? You're saying that masquerading makes my machine wide open? Are you following the microsoft tactic that OUTgoing connections need to be firewalled? Sure. On my phone I install apps that should not be connecting to the internet on a whim. But on my PC I'm more afraid of the 4 billion internet-users out there, one of which might try to connect to a service on my machine. At the moment that "try to connect" they are now blocked because I don't have a routable internet address. > > I know that my machines, when running a recent distribution, obtain an > > IPV6 address. If my home router suddenly started giving my home > > machines routable IPV6 addresses that would break my "fence". > > If you do not trust machines connection to your local network then you > should fix that hole in the fence. My provider will, at some time between 2010 and 2020 decide to enable IPV6 to their clients. I don't want to have to be there at the moment they decide to enable it. > > So... best thing to do is to make sure my machine will never talk > > IPV6. How about I compile a kernel without IPV6? Or maybe just boot > > with ipv6disable=1? > > Instead of disabling IPv6, just firewall it: > > ip6tables -A INPUT -j REJECT > ip6tables -A FORWARD -j REJECT There is more than one way to skin a cat. If you think that an outgoing connection that goes through masquerading is a security risk, will you permit me to consider ipv6 enabled, but firewalled a risk? To be able to issue the above commands I've had to learn that the command for ipv6 firewallin is ip6tables. You've just told me. What if I stumbled on the "disable IPV6 altogether" solution first? Your "firewall all IPV6" solution means that applicaitons on my machine continue to think that IPV6 is available, and then fail to make a connection or take seconds before they timeout the attempt to make the IPV6 connection. This is not a workable solution. It is much better that they get an error "IPV6 is not available" the moment they open a socket. > More importantly though: it is 2014, IPv6 has been available to the > general public for almost 20 years (6bone is from 1996-ish). Use it. I do some things with the argument "because it's there". But "ipv6" is not one of those things. If you want to convince me to use ipv6 you'll have to use more arguments than "because it's been there for 20 years!". I've never had things "not work" because I don't have ipv6. I /have/ had trouble with ipv6 being partially available, causing irritating timeouts etc. So for now I'm not easy to convince. But even if you convince me, I still think not using IPV6 is a valid configuration. It works for my mom. It works for.me. How you chose to disable the feature is up to the user. If there is a quick proper solution, then that might be the recommended way. I'd say that ipv6disable=1 is quick and proper. Roger. -- +-- Rogier Wolff -- www.harddisk-recovery.nl -- 0800 220 20 20 -- - Datarecovery Services Nederland B.V. Delft. KVK: 30160549 - | Files foetsie, bestanden kwijt, alle data weg?! | Blijf kalm en neem contact op met Harddisk-recovery.nl! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org