On Monday, May 29, 2017 at 9:57:08 AM UTC-7, Patrik Hagara wrote: > > > I'd like to mention the relative complexity of the IPv6 specification > (and by extension, its implementations) as a reason against this > proposed change. For example, take a look at this list of CVEs > related to IPv6 [0]. Please also note that writing firewall rules > for IPv6 can be quite challenging at times. >
against which proposed change? one is the standard dual stack with nat66, the other nat64, which as i already mentioned, wouldnt work for us as it breaks some protocols. iptables is being replaced with nftables, which applys the same rules to both, so i dont think there would be much added challenge in that, but there are more pitfalls. Second, IPv6 was, in fact, designed with clients running multiple VMs > at a time in mind -- you're just supposed to delegate v6 addresses > from a /64 (or bigger) IPv6 prefix and not use a NAT mechanism. > wasnt rfc 4389 supposed to address that? in our case, we want to hide whats going on behind the netvm, but having this, or just a binat, would be good for a vm that we want to seem outside it comepletely. > While I do accept the fact that IPv6 support is neccessary, I don't > think the existing v6 network stack implementations are quite as > mature as the v4 ones (which have undergone extensive testing "in > production" over the last few decades) -- especially not mature > enough for use in a security-oriented OS. > > Should you find yourself in an environment with only v6 connectivity, > having IPv6 stack available **only** in the untrusted net VM will > definitely come in handy, but IMO all the VMs downstream should be > using v4 (either via 4in6 [1] or similar transition mechanism). > i like this idea. we could also only enable and nat v6 in the vms that need it. but, this would add attack surface to the firewall vm. something like 4n6 from app vm to netvm would mean added firewall rules to the netvm, increasing its complexity. a separate v6 enabled firewallvm would be additional overhead, but maybe not enough to matter. > Cheers, > Patrik > > > > [0] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ipv6 > <https://www.google.com/url?q=https%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvekey.cgi%3Fkeyword%3Dipv6&sa=D&sntz=1&usg=AFQjCNGM7Nt4s0UF0h_SauVTjPgbheJljQ> > > [1] https://en.wikipedia.org/wiki/4in6 > -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/15bd78ab-d95a-4e50-9fea-8d566c392147%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
