>
> i disagree also that it should be default disabled
> *but* it should be disabled if you are on a network
> with only a DHCP4 server and no DHCP6 or if you
> have a static configuration without ipv6
>
> currently you get a link-local address
>
This is by design. And with ipv6 incoming (big in Asia and basis ISPs are beginning to enabled it now for home users in the US such as Comcast. Windows will work out of the box. MacOSX will work out of the box. Fedora (or Ubuntu etc) also need to work out of the box.
> > IPv6 is designed to be autoconfiguring
>
> and *that* is a problem inside a ipv4 only LAN
>
Not if you are sane with your policies as an admin anyway.
>
> "locally" is enough
>
> a) nowadyas many attacks are coming from inside the LAN
>
True internal attacks are a problem. But layer 2 (remember fe80:: is local link only and cannot be routed) are rarer... Psychical security to prevent layer 2 access in the first place is important. In addition do you systems get sufficiently tight on their iptables configurations that you are manually listing IP addresses that are allowed to ssh in? If you are being that controlling it would be trivial to configure ip6tables to reject or drop all packets via the similar methods you are controlling iptables. If you are not being that controlling then this point is moot since the default ip6tables only allows ssh and related/established connections just like iptables.
> b) you may be vulnerable if a foreign device comes up with
> ipv6, your firewalls only configured for ipv4 and your
> server got a link-local ipv6
>
Why do you have a foreign service appear on your local link? The same physical and layer 2 thoughts apply. This is essentially point a again and the detail in there stands.
> c) services and applications may see the link-local address
> and think "hey i can fully operate with ipv6" which is
> not true
>
Then file a bug for that application. The RFCs are very clear with the prefixes well established. An fe80:: address is link local only and an application that sees this address and no 2000::/3 address should not think they have a global address and attempt to use it... The situation is admittedly blurred when ULA addressing comes into play but at that point you have made ipv6 configuration and policy choices which should take things like this into account when doing so.
> no - if you are a sane admin you do not want *anything* enabled
> which does not match the big picture of the environment
>
A sane admin is aware of emerging technologies and the requirements surrounding them in order to adapt as new things come along.
> keep in mind that there are environemnts far outside the
> single workstation and security is *always* the big picture
> of the complete environment and the weakest piece defines
> your overall security
And I will repeat that we are talking link local addresses here... Ip6tables is a trivial easy way to block ipv6 communication in a same manner you presumably already manage iptables since the scope of this bit is the context of large environments whereupon you are talking probably smaller broadcast domains to begin with (ie a vlan per floor of building or something similar) and that the same layer 2 security for your network applies...
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
