On Tuesday, March 25, 2014 03:32:48 PM Andrew Gilmore wrote: > > Put another way, its not that IPv6 is insecure...its very well tested. Its > > that if you don't need it or use it and a security bulletin comes along > > for it, its easy to dismiss because you didn't intend to use it. > > This was part of my real question, I guess. Much of what I had heard about > IPV6 focused on the relative maturity of the stack, compared to IPV4, and > suggested that some of the same types of critical vulnerabilities that we > saw in the 90s may be lurking in this stack. It's good to hear your > confidence in the tech.
Let me explain a bit. In the first draft of the SNAC guide, I think it said something like to disable do install ipv6 /bin/true This worked back in 2008 because IPv6 and IPv4 were separate. There was not much overlap in code. However, things progress over the years and people wondered why they have to make bug fixes to 2 independent code paths when a lot could be shared. At this point, if you tried to do the above method for disabling IPv6, you'd find the following broken: - bridging - bonding - ebtables - various iSCSI drivers - infiniband - assorted bits of netfliter Additionally, routing information, ARP entries, and ipv6 specific device state are shared between modules. So, there really is a lot of "ipv6" code running on a "ipv4" system. In light of this, the way of turning of IPv6 had to change because of the shared code base. We now recommend CONFIG_IPV6=n because ipv6 must be loaded because it does get used. i was told that 1/2 of the IPv6 codebase is shared with IPv4. To circle back to the beginning, So, why turn it off at all? Because the other half of the IPv6 stack is not used all the time and eliminating lines of code helps harden the system. Steve _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
