On Sun, 24 Sep 2000, Manoj Srivastava wrote:
> >>"Henrique" == Henrique M Holschuh <hmh+debianml@rcm.org.br> writes:
> Henrique> As long as the built-in kernel firewall and all daemons
> Henrique> that are priority standard or above are _audited_ and
> Henrique> patched to work fine with ipv6, I'd say it's a laudable
> Henrique> goal.
>
> Has this audit been performed for IPV4? Or are you asking for
> an additional level of security just for IPV6?
Maybe in one of the BSDs, but not in Linux I guess :-)
No, I am not asking for an *additional* level of security. I just don't want
what little we have right now to be shot to hell.
To be more precise: I just don't like the idea of introducing "we should
have fixed this damn obvious hole, but we didn't even care to test for it"
security holes, such as:
1. A tcp wrappers which will simply allow any ipv6 connects through,
regardless of hosts.deny
2. A kernel firewall which cannot deal with ipv6, so one has to leave
the machine open to ipv6 attacks if ipv6 is active.
I didn't mean "audited" as in full security audit. I mean it as: does this
thing keeps all its documented functionality intact in a ipv6 scenario? If
it fails, does it fails in a benign way (such as always denying the
connection attempt)?
Most apps which are not ipv6-ready are probably not going to give us
security problems, but any apps which have built-in (ip-based) access
control really should be tested. I don't want apache to start accepting ipv6
requests *by default* and not applying its internal access controls to these
requests correctly, for example.
Right now, if a ipv6 module is provided by default, /etc/modutils/aliases
WILL allow the module to be installed automatically (argh!). I sure hope
this still doesn't allow inbound ipv6 packets to reach ipv6-aware userland
somehow without explict ifconfig/ip configuration (I don't know enough about
the issue).
I fear that if Debian does a botched job of a ipv6 deployment in the
standard packages and allow ipv6 to be activated (and configured) by
default, it could become a security nightmare for the uninitiated... and our
*defaults* really should avoid that IMHO.
If ipv6 is going to be *forced disabled* by default, requiring explict
action to configure the machine for ipv6 (such as a "Do you want ipv6
support enabled by default... warning: don't enable it if you don't need
it"), then I will feel much better about the issue.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Attachment:
pgpXq1XpPsmMm.pgp
Description: PGP signature