On Sat, Jul 13, 2013 at 6:15 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
Am 13.07.2013 13:07, schrieb David Beveridge:
> On Sat, Jul 13, 2013 at 1:25 PM, Fernando Lozano <fernando@xxxxxxxxxxxxx> wrote:
>>
>> If people on the users list don't agree with me, there's no point
>> submiting to developers.
>>
> Well I for one certainly don't agree with you.
> If you disable it everywhere it's too much of a pain to turn it all
> back on when you need it.
i disagree also that it should be default disabled
*but* it should be disabled if you are on a network
with only a DHCP4 server and no DHCP6 or if you
have a static configuration without ipv6
currently you get a link-local address
> IPv6 is designed to be autoconfiguring
and *that* is a problem inside a ipv4 only LAN
> Unless you actually have a global IPv6 address, you can only use it
> locally anyway.
"locally" is enough
a) nowadyas many attacks are coming from inside the LAN
b) you may be vulnerable if a foreign device comes up with
ipv6, your firewalls only configured for ipv4 and your
server got a link-local ipv6
c) services and applications may see the link-local address
and think "hey i can fully operate with ipv6" which is
not true
> F19 now has the firewall with zones home, work, public etc so it can
> do the right thing from a security standpoint.
there are environments with "iptables-services" for very
good reasons
> If you are worried about security you should be raising bugs against
> the firewall, not disabling IPv6 completely
no - if you are a sane admin you do not want *anything* enabled
which does not match the big picture of the environment
keep in mind that there are environemnts far outside the
single workstation and security is *always* the big picture
of the complete environment and the weakest piece defines
your overall security
If an administrator or a normal user can't disable IPv6, this is a bug and needs to be fixed.
I feel the question, should IPv6 be disabled by default, is aimed for casual users, not administrators. Administrators should know what they are doing.
Please correct me if I am wrong, but I believe an administrator would want to do a custom install to control exactly what services are installed and would be willing to control the initial state of IPv6, also during an install.
Would administrators be okay if they had an option, during Fedora install/upgrade, where they can set the state of IPv6?
The more important question, would having an option, during Fedora install/upgrade, for setting the state of IPv6 help or confuse normal users? What should the suggested default be?
Again, administrators know what they are doing. I'm more concerned with people who don't know what they are doing.
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org