Re: Proposal: Fedora should install with IPv6 disabled by default [was: Re: Disabling ipv6]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Am 13.07.2013 13:07, schrieb David Beveridge:
> On Sat, Jul 13, 2013 at 1:25 PM, Fernando Lozano <fernando@xxxxxxxxxxxxx> wrote:
>>
>> If people on the users list don't agree with me, there's no point
>> submiting to developers.
>>
> Well I for one certainly don't agree with you.
> If you disable it everywhere it's too much of a pain to turn it all
> back on when you need it.

i disagree also that it should be default disabled
*but* it should be disabled if you are on a network
with only a DHCP4 server and no DHCP6 or if you
have a static configuration without ipv6

currently you get a link-local address

> IPv6 is designed to be autoconfiguring

and *that* is a problem inside a ipv4 only LAN

> Unless you actually have a global IPv6 address, you can only use it
> locally anyway.

"locally" is enough

a) nowadyas many attacks are coming from inside the LAN

b) you may be vulnerable if a foreign device comes up with
  ipv6, your firewalls only configured for ipv4 and your
  server got a link-local ipv6

c) services and applications may see the link-local address
   and think "hey i can fully operate with ipv6" which is
   not true

> F19 now has the firewall with zones home, work, public etc so it can
> do the right thing from a security standpoint.

there are environments with "iptables-services" for very
good reasons

> If you are worried about security you should be raising bugs against
> the firewall, not disabling IPv6 completely

no - if you are a sane admin you do not want *anything* enabled
which does not match the big picture of the environment

keep in mind that there are environemnts far outside the
single workstation and security is *always* the big picture
of the complete environment and the weakest piece defines
your overall security

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux