On Mon, Apr 28, 2014 at 09:43:40AM +0200, Jeroen Massar wrote:
> Note that there are a variety of forums that are a much better place
> than a Debian mtr package bug report for these kind of questions.
I'm not asking for help. I'm trying to communicate that I think that
disabling IPV6 is a valid configuration.
I fully agree with the decisions "upstream" in debian to enable
IPV6. But you should respect those that may have reasons to disable
it.
> On 2014-04-28 09:08, Rogier Wolff wrote:
> > I personally have a good understanding of IPV4 and how I've secured my
> > network against attacks from outside. I know what I'm doing. This
> > means that I make decisions about what to protect against and what I
> > won't protect against.
> >
> > I have decided that I will have "fence security": I protect the
> > outside, I do not put any effort into protecting my machines from an
> > attacker who is able to access my network. (either by physically
> > plugging in or by getting control over a machine on my network).
>
> If your assumption is that, then you are 'safe' with the default
> settings provided by Debian.
>
> Unless somebody sets up a router advertisement to announce a prefix (for
> which they need local access to the network), your host will only have a
> link-local (fe80::/10) address, which means the adversary has local
> access to your network.
I could look this up in under 60 seconds. But I haven't.
So when my machine asks for an IPV6 address on the link it gets one.
If I'd look it up I'd see it was a link-local address. I'm guessing
similar to the 192.168.x.y that I'm using for IPV4 that they won't
work outside my home network.
So how do I know that when I boot tomorrow my machine won't get a
routable IPV6 address? I don't.
> > Now this fancy IPV6 comes along. I've been pusing my hosting provider
> > for an IPV6 address so that I can gain some experience.
>
> Chose with your money. If they do not get the picture in 2014, they will
> never get it.
I don't have extra money and time to spare to "push" issues like
this. If they decide for their clients that "without IPV6" I will be
able to manage for now, I'm not going to research or doubt that
decisison. I respect their decision. Life is short. There are a lot of
things in this world that I don't have the time to learn. There are a
lot of things /wrong/ in this world that I don't have the time to
worry about or change. I'm chosing my battles. I'm not into poltics,
I'm into technical things. And even then I choose my battles.
The "we need to switch to IPV6 NOW" crowd lost credibility with me
when they announced "we'll have serious trouble in XXX time when we'll
run out of IPV4 addresses". This was announced three years in a row,
with XXX always less than 12 months. I haven't heard about the IPV4
addresses running out for about a year now. Is the new announcement
going out soon, or did I miss one?
> > The little I know about IPV6 is that there won't be a need to
> > "masquerade" like we do now. Well, that masquerading is part of my
> > security strategy.
>
> The part that 'masquerading' adds in your 'security strategy' is
> connection tracking. Not the actual act of translating addresses; they
> actually make your box wide open.
The masquerading part helps my security: My machine thinks its address
is 192.168.x.y, and besides people on or very close to my network,
nobody will be able to get packets with that addres to travel to my
machine.
What is "they" referring to in "they actually make..."?
You're saying that masquerading makes my machine wide open?
Are you following the microsoft tactic that OUTgoing connections need
to be firewalled? Sure. On my phone I install apps that should not be
connecting to the internet on a whim. But on my PC I'm more afraid of
the 4 billion internet-users out there, one of which might try to
connect to a service on my machine. At the moment that "try to
connect" they are now blocked because I don't have a routable internet
address.
> > I know that my machines, when running a recent distribution, obtain an
> > IPV6 address. If my home router suddenly started giving my home
> > machines routable IPV6 addresses that would break my "fence".
>
> If you do not trust machines connection to your local network then you
> should fix that hole in the fence.
My provider will, at some time between 2010 and 2020 decide to enable
IPV6 to their clients. I don't want to have to be there at the moment
they decide to enable it.
> > So... best thing to do is to make sure my machine will never talk
> > IPV6. How about I compile a kernel without IPV6? Or maybe just boot
> > with ipv6disable=1?
>
> Instead of disabling IPv6, just firewall it:
>
> ip6tables -A INPUT -j REJECT
> ip6tables -A FORWARD -j REJECT
There is more than one way to skin a cat.
If you think that an outgoing connection that goes through
masquerading is a security risk, will you permit me to consider ipv6
enabled, but firewalled a risk?
To be able to issue the above commands I've had to learn that the
command for ipv6 firewallin is ip6tables. You've just told me.
What if I stumbled on the "disable IPV6 altogether" solution first?
Your "firewall all IPV6" solution means that applicaitons on my
machine continue to think that IPV6 is available, and then fail to
make a connection or take seconds before they timeout the attempt to
make the IPV6 connection. This is not a workable solution. It is much
better that they get an error "IPV6 is not available" the moment they
open a socket.
> More importantly though: it is 2014, IPv6 has been available to the
> general public for almost 20 years (6bone is from 1996-ish). Use it.
I do some things with the argument "because it's there". But "ipv6" is
not one of those things. If you want to convince me to use ipv6 you'll
have to use more arguments than "because it's been there for 20
years!". I've never had things "not work" because I don't have ipv6. I
/have/ had trouble with ipv6 being partially available, causing
irritating timeouts etc. So for now I'm not easy to convince.
But even if you convince me, I still think not using IPV6 is a valid
configuration. It works for my mom. It works for.me. How you chose to
disable the feature is up to the user. If there is a quick proper
solution, then that might be the recommended way. I'd say that
ipv6disable=1 is quick and proper.
Roger.
--
+-- Rogier Wolff -- www.harddisk-recovery.nl -- 0800 220 20 20 --
- Datarecovery Services Nederland B.V. Delft. KVK: 30160549 -
| Files foetsie, bestanden kwijt, alle data weg?!
| Blijf kalm en neem contact op met Harddisk-recovery.nl!
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
