Note that there are a variety of forums that are a much better place than a Debian mtr package bug report for these kind of questions.
On 2014-04-28 09:08, Rogier Wolff wrote: > I personally have a good understanding of IPV4 and how I've secured my > network against attacks from outside. I know what I'm doing. This > means that I make decisions about what to protect against and what I > won't protect against. > > I have decided that I will have "fence security": I protect the > outside, I do not put any effort into protecting my machines from an > attacker who is able to access my network. (either by physically > plugging in or by getting control over a machine on my network). If your assumption is that, then you are 'safe' with the default settings provided by Debian. Unless somebody sets up a router advertisement to announce a prefix (for which they need local access to the network), your host will only have a link-local (fe80::/10) address, which means the adversary has local access to your network. > Now this fancy IPV6 comes along. I've been pusing my hosting provider > for an IPV6 address so that I can gain some experience. Chose with your money. If they do not get the picture in 2014, they will never get it. > The little I know about IPV6 is that there won't be a need to > "masquerade" like we do now. Well, that masquerading is part of my > security strategy. The part that 'masquerading' adds in your 'security strategy' is connection tracking. Not the actual act of translating addresses; they actually make your box wide open. > I know that my machines, when running a recent distribution, obtain an > IPV6 address. If my home router suddenly started giving my home > machines routable IPV6 addresses that would break my "fence". If you do not trust machines connection to your local network then you should fix that hole in the fence. > So... best thing to do is to make sure my machine will never talk > IPV6. How about I compile a kernel without IPV6? Or maybe just boot > with ipv6disable=1? Instead of disabling IPv6, just firewall it: ip6tables -A INPUT -j REJECT ip6tables -A FORWARD -j REJECT If you consider disabling IPv6, you should also disable all kinds of drivers, TCP/IP variants, etc. As that is then the same 'protection' you are asking for. More importantly though: it is 2014, IPv6 has been available to the general public for almost 20 years (6bone is from 1996-ish). Use it. Greets, Jeroen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
