Am 13.07.2013 13:07, schrieb David Beveridge: > On Sat, Jul 13, 2013 at 1:25 PM, Fernando Lozano <ferna...@lozano.eti.br> > wrote: >> >> If people on the users list don't agree with me, there's no point >> submiting to developers. >> > Well I for one certainly don't agree with you. > If you disable it everywhere it's too much of a pain to turn it all > back on when you need it.
i disagree also that it should be default disabled *but* it should be disabled if you are on a network with only a DHCP4 server and no DHCP6 or if you have a static configuration without ipv6 currently you get a link-local address > IPv6 is designed to be autoconfiguring and *that* is a problem inside a ipv4 only LAN > Unless you actually have a global IPv6 address, you can only use it > locally anyway. "locally" is enough a) nowadyas many attacks are coming from inside the LAN b) you may be vulnerable if a foreign device comes up with ipv6, your firewalls only configured for ipv4 and your server got a link-local ipv6 c) services and applications may see the link-local address and think "hey i can fully operate with ipv6" which is not true > F19 now has the firewall with zones home, work, public etc so it can > do the right thing from a security standpoint. there are environments with "iptables-services" for very good reasons > If you are worried about security you should be raising bugs against > the firewall, not disabling IPv6 completely no - if you are a sane admin you do not want *anything* enabled which does not match the big picture of the environment keep in mind that there are environemnts far outside the single workstation and security is *always* the big picture of the complete environment and the weakest piece defines your overall security
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
