| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Feb 2009 02:25:54 -0500 From: Kyle Moffett <kyle@...fetthome.net> To: Vlad Yasevich <vladislav.yasevich@...com> Cc: Jay Vosburgh <fubar@...ibm.com>, Brian Haley <brian.haley@...com>, David Miller <davem@...emloft.net>, arvidjaar@...l.ru, chuck.lever@...cle.com, tytso@....edu, Valdis.Kletnieks@...edu, rjw@...k.pl, netdev@...r.kernel.org, bonding-devel@...ts.sourceforge.net, jamagallon@....com, linux-kernel@...r.kernel.org Subject: Re: [PATCH v2] bonding: move IPv6 support into a separate kernel module On Thu, Feb 26, 2009 at 3:57 PM, Vlad Yasevich <vladislav.yasevich@...com> wrote: > > Yes. The bitmask to disable certain family can be useful, but it's orthogonal > the issue of IPv6 support. As you said, it can be used to disable > any address family that user wishes. The slight issue with this might > be, should the settings affect already create sockets? > > I guess it comes down how many levels of control to do we want to provide. > Things that have been suggested so far: > 1) Global on/off switch (i.e module parameter) > 2) Per interface on/off switch (currently exists, but has bugs). > 3) Socket on/off switch (i.e blocker bitmask) > > I think numbers 1 and 2 turn off the IPv6 protocol on the wire, while number > 3 turns off the interface to the user. The two can be done independent. I feel extremely nervous about people discussing disabling IPv6 going forward. Current estimates are that the first RIRs will begin to exhaust their address spaces (after IANA's address space is exhausted) early in 2011. If you consider that any change probably won't be in a released kernel until June or so, there would be all of 18 months left until IPv6 is *required* to contact some hosts on the internet. At this point in time, anyone looking at "disabling" IPv6 should be doing so with standard firewall rules *exactly* the same way that they would disable IPv4 traffic; adding rules using ip6tables or ebtables is easy. You could simply drop all IPv6 ethernet frames: ebtables -P INPUT ACCEPT ebtables -A INPUT -p IPv6 -j DROP ebtables -P FORWARD ACCEPT ebtables -A FORWARD -p IPv6 -j DROP ebtables -P OUTPUT ACCEPT ebtables -A OUTPUT -p IPv6 -j DROP Alternatively for a per-interface switch you could "ebtables -A INPUT -i eth4 -p IPv6 -j DROP", etc... You could also do this instead (this includes IPv6 tunnels and whatnot): ip6tables -t raw -P INPUT DROP ip6tables -t raw -P OUTPUT DROP This allows programs which have been written to use AF_INET6 even for IPv4 sockets to continue to function appropriately (and there are at least a few). Cheers, Kyle Moffett -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists