On Sun, 24 Sep 2000, Manoj Srivastava wrote: > >>"Henrique" == Henrique M Holschuh <hmh+debianml@rcm.org.br> writes: > Henrique> As long as the built-in kernel firewall and all daemons > Henrique> that are priority standard or above are _audited_ and > Henrique> patched to work fine with ipv6, I'd say it's a laudable > Henrique> goal. > > Has this audit been performed for IPV4? Or are you asking for > an additional level of security just for IPV6? Maybe in one of the BSDs, but not in Linux I guess :-) No, I am not asking for an *additional* level of security. I just don't want what little we have right now to be shot to hell. To be more precise: I just don't like the idea of introducing "we should have fixed this damn obvious hole, but we didn't even care to test for it" security holes, such as: 1. A tcp wrappers which will simply allow any ipv6 connects through, regardless of hosts.deny 2. A kernel firewall which cannot deal with ipv6, so one has to leave the machine open to ipv6 attacks if ipv6 is active. I didn't mean "audited" as in full security audit. I mean it as: does this thing keeps all its documented functionality intact in a ipv6 scenario? If it fails, does it fails in a benign way (such as always denying the connection attempt)? Most apps which are not ipv6-ready are probably not going to give us security problems, but any apps which have built-in (ip-based) access control really should be tested. I don't want apache to start accepting ipv6 requests *by default* and not applying its internal access controls to these requests correctly, for example. Right now, if a ipv6 module is provided by default, /etc/modutils/aliases WILL allow the module to be installed automatically (argh!). I sure hope this still doesn't allow inbound ipv6 packets to reach ipv6-aware userland somehow without explict ifconfig/ip configuration (I don't know enough about the issue). I fear that if Debian does a botched job of a ipv6 deployment in the standard packages and allow ipv6 to be activated (and configured) by default, it could become a security nightmare for the uninitiated... and our *defaults* really should avoid that IMHO. If ipv6 is going to be *forced disabled* by default, requiring explict action to configure the machine for ipv6 (such as a "Do you want ipv6 support enabled by default... warning: don't enable it if you don't need it"), then I will feel much better about the issue. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Attachment:
pgpXq1XpPsmMm.pgp
Description: PGP signature