lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <87mukeqqgf.fsf@line.ungleich.ch>
Date:   Thu, 25 Apr 2019 13:22:56 +0200
From:   Nico Schottelius <nico-kernel-20190425@...ottelius.org>
To:     Adam Borowski <kilobyte@...band.pl>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: How to turn off IPv4 without disabling IPv6


Hey Adam,

thanks for the fast response.


Adam Borowski <kilobyte@...band.pl> writes:

> On Thu, Apr 25, 2019 at 11:32:38AM +0200, Nico Schottelius wrote:
>> running some IPv6 only
>> networks. The systems in the IPv6 only networks do not need any IPv4
>> support anymore and thus for switches/routers we turned the support off.
>
>> Today we tried to turn off IPv4 in the Linux kernel at compile time.
>> But it seems that as soon as we turn off CONFIG_INET, CONFIG_IPV6 is
>> automatically turned off as well.
>
> Even if you don't want global nor even link-scope IPv4, way too many
> programs assume that at least 127.0.0.1 (ie, lo) is working.  They can't be
> reconfigured to use ::1 without patching and rebuilding.

I think we have to distinguish here between 2 kinds of programs:

- stuff that listen()s
- stuff that connect()s

Afaics, the latter does not need any lo connectivity, neither v4 nor
v6. It will use whatever IP address the kernel chooses for outgoing
connections.

For the former, I agree that there might be software that actually
fails without having 127.0.0.1. However, if they bind to 0.0.0.0, the
software will actually not work in IPv6 only network anyway.

The big problem here is:

if I cannot turn off IPv4, I cannot test what needs to be fixed.

> [...]
> That's an extra moving part where there was none before.  Complexity is bad.
> Having the IPv4 stack built just for the lo interface simplifies
> things.

I tend to disagree with this statement: turning off IPv4 first off all
reduces complexity. You can even fully get rid of ARP. Yes, there will
be the need for some changes / updates, but all of this can only be
spotted once IPv4 is turned off.

Best,

Nico

--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ