Re: Bug#542470: closed by maximilian attems <max@stro.at> (Re: Bug#542470: linux-image-2.6.30-1-686: IPv6 can not be disabled)

To: debian-kernel@lists.debian.org
Cc: advocatux <advocatux@gmail.com>
Subject: Re: Bug#542470: closed by maximilian attems <max@stro.at> (Re: Bug#542470: linux-image-2.6.30-1-686: IPv6 can not be disabled)
From: Bjørn Mork <bjorn@mork.no>
Date: Fri, 21 Aug 2009 10:41:21 +0200
Message-id: <[🔎] 87ljldsgni.fsf@nemi.mork.no>
References: <20090820135352.GH13440@baikonur.stro.at> <[🔎] 20090819193739.4263.40160.reportbug@gregson.conandoyle.local> <handler.542470.D542470.125077671330750.notifdone@bugs.debian.org> <23f4620e0908201347h1cecd77cwd276a3c81dc62538__22758.4619344727$1250803102$gmane$org@mail.gmail.com>

advocatux <advocatux@gmail.com> writes:

> Yep, I know I can add "ipv6.disable=1" in /boot/grub/menu.lst but this
> method doesn't work always, it depends on which 2.6.30 kernel version
> you're running.

It works with the 2.6.30 kernel in Debian.  I'm no DD but I believe that
is about as much as you can expect Debian to support...

>>> Yeah, just like having IPv4 enabled by default.  Given the number of
>>> attacks, I would say that IPv4 is much more dangerous and should be
>>> disabled immediately by any sane administrator :-)
>>
>> triple *lol* ;)
>
> Certainly that mockery doesn't fit with Debian community spirit, does
> it? and for sure doesn't help to fill bug reports.

I put the smiley there for a reason.  I apologize if my comment hurt you
in any way.

I'm sure the kernel team found your bug report very useful even if it
was closed.  It does help documenting the potential problems users may
face, and will serve as help to others having the same question as you.

> People analizing this bug in Ubuntu Bug System
> (https://bugs.launchpad.net/bugs/351656) changed the status from
> security vulnerability "no" to "yes", and that's because an initial
> machine running other kernel, with IPv4 traffic filtered and IPv6
> disabled, after install a 2.6.30 kernel ends with unfiltered ports
> listening to IPv6 traffic.

Well, AFAIK there is no change to a default Debian installation. IPv6 is
enabled by default both in 2.6.26 and 2.6.30 and there are no iptables
or ip6tables rules installed.

Something could of course have checked on upgrade whether the admin
chose to blacklist the ipv6 module and warn that this has no effect
anymore, but personally I don't see the need.  If you do, I'm pretty
sure that patches are welcome as usual.

For the record: Unfiltered ports are not a security problem.  Network
protocol support is not a security problem.  Debian is as secure with
IPv6 enabled as it is with IPv4 enabled.  If you think otherwise, then I
suggest you demonstrate the attack and file appropriate bugs against the
packages with the real security problem.  Security in Linux is not based
on the kernel preventing application abuse by disabling any useful
feature.

Bjørn

Reply to:

References:
- Bug#542470: linux-image-2.6.30-1-686: IPv6 can not be disabled
  - From: advocatux <advocatux@gmail.com>

Prev by Date: Bug#534867: [linux-headers-2.6.30-1-686] Missed headers
Next by Date: Bug#542769: cman: qdiskd fails to run when using device option. Already fixed in the source
Previous by thread: Bug#542470: closed by maximilian attems <max@stro.at> (Re: Bug#542470: linux-image-2.6.30-1-686: IPv6 can not be disabled)
Next by thread: Bug#542470: linux-image-2.6.30-1-686: IPv6 can not be disabled
Index(es):
- Date
- Thread