Fascinating. My test system, which I had believed was in compliance with the current STIG, has
options ipv6 disable=1 in a /etc/modprobe.d file... Time to relook at this, then! Perhaps this is why bonding is somewhat flaky on this system. Humph. It sounds like it's coming live to my environment, so I get to include more tests in my reports. Progress. I'll work through this one too. Thanks again! All kinds of good information! Andrew On Tue, Mar 25, 2014 at 3:50 PM, Steve Grubb <[email protected]> wrote: > On Tuesday, March 25, 2014 03:32:48 PM Andrew Gilmore wrote: > > > Put another way, its not that IPv6 is insecure...its very well tested. > Its > > > that if you don't need it or use it and a security bulletin comes along > > > for it, its easy to dismiss because you didn't intend to use it. > > > > This was part of my real question, I guess. Much of what I had heard > about > > IPV6 focused on the relative maturity of the stack, compared to IPV4, and > > suggested that some of the same types of critical vulnerabilities that we > > saw in the 90s may be lurking in this stack. It's good to hear your > > confidence in the tech. > > Let me explain a bit. In the first draft of the SNAC guide, I think it said > something like to disable do > > install ipv6 /bin/true > > This worked back in 2008 because IPv6 and IPv4 were separate. There was not > much overlap in code. However, things progress over the years and people > wondered why they have to make bug fixes to 2 independent code paths when > a lot > could be shared. At this point, if you tried to do the above method for > disabling IPv6, you'd find the following broken: > > - bridging > - bonding > - ebtables > - various iSCSI drivers > - infiniband > - assorted bits of netfliter > > Additionally, routing information, ARP entries, and ipv6 specific device > state > are shared between modules. So, there really is a lot of "ipv6" code > running > on a "ipv4" system. In light of this, the way of turning of IPv6 had to > change > because of the shared code base. We now recommend > > CONFIG_IPV6=n > > because ipv6 must be loaded because it does get used. i was told that 1/2 > of > the IPv6 codebase is shared with IPv4. > > To circle back to the beginning, So, why turn it off at all? Because the > other > half of the IPv6 stack is not used all the time and eliminating lines of > code > helps harden the system. > > Steve >
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
