On Mon, 15 Jul 2013, Reindl Harald wrote:
Am 15.07.2013 23:19, schrieb Michael Hennebry:
On Sun, 14 Jul 2013, Reindl Harald wrote:
the problem is that *three* sorts of evangelists hijacked
the original thread and changed multiple times the topic
If they changed the subject line
Am 16.07.2013 09:12, schrieb Michael Hennebry:
On Mon, 15 Jul 2013, Reindl Harald wrote:
Am 15.07.2013 23:19, schrieb Michael Hennebry:
On Sun, 14 Jul 2013, Reindl Harald wrote:
the problem is that *three* sorts of evangelists hijacked
the original thread and changed multiple times the
On Sun, 14 Jul 2013, Reindl Harald wrote:
the problem is that *three* sorts of evangelists hijacked
the original thread and changed multiple times the topic
If they changed the subject line accordingly, what is the problem?
Do you have a mail-reader that does not show subject lines?
I've had
It might be a good idea, then, to configure ip6tables to deny everything
and enable it just to be sure.
And this is one of the reasons that firewalld has come about... The same
rule (unless it specifies a family or has addressees in the rule of that
family) gets applied to both protocols.
i disagree also that it should be default disabled
*but* it should be disabled if you are on a network
with only a DHCP4 server and no DHCP6 or if you
have a static configuration without ipv6
currently you get a link-local address
This is by design. And with ipv6 incoming (big in Asia and
Am 14.07.2013 01:15, schrieb Richard Sewill:
keep in mind that there are environemnts far outside the
single workstation and security is *always* the big picture
of the complete environment and the weakest piece defines
your overall security
If an administrator or a normal
Am 14.07.2013 00:33, schrieb David Beveridge:
On Sat, Jul 13, 2013 at 2:36 AM, Reindl Harald h.rei...@thelounge.net wrote:
coming up with a link-local address inside a network
which is *pure ipv4* on a server means *any* random
device which does the same may bypass all your firewall
rule
Am 13.07.2013 02:34, schrieb David Beveridge:
On Sat, Jul 13, 2013 at 8:55 AM, Reindl Harald h.rei...@thelounge.net wrote:
and the answer comes back to exactly this port
https://en.wikipedia.org/wiki/Stateful_firewall
https://en.wikipedia.org/wiki/UDP_hole_punching
On some routers where
Am 14.07.2013 08:53, schrieb James Hogarth:
It might be a good idea, then, to configure ip6tables to deny everything and
enable it just to be sure.
And this is one of the reasons that firewalld has come about... The same rule
(unless it specifies a family or has
addressees in the rule of
Hi,
i disagree also that it should be default disabled
*but* it should be disabled if you are on a network
with only a DHCP4 server and no DHCP6 or if you
have a static configuration without ipv6
currently you get a link-local address
This is by design. And with ipv6 incoming (big
with zones home, work, public etc so it can
do the right thing from a security standpoint.
If you are worried about security you should be raising bugs against
the firewall, not disabling IPv6 completely.
dave
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription
On Fri, 2013-07-12 at 08:54 -0500, Chris Adams wrote:
The best practices have largely been agreed to (as much as any best
practices ever are). IPv6 is as mature as it can get until a billion
end-users get on it. Large ISPs around the world have rolled it out
in production. Major OSes
Am 12.07.2013 16:04, schrieb Chris Adams:
Once upon a time, Tim ignored_mail...@yahoo.com.au said:
How is your firewall set up? When you allow something for IPv4, does it
make a corresponding rule for IPv6, at the same time. Likewise, for if
you block something. And I mean that in two
Am 12.07.2013 17:49, schrieb Fernando Lozano:
[As I changed the subject, let me clear: IPv6 still compiled in the kernel.
Just the network interfaces configs
that should come with IPv6 disabled by default, if the user wants it should
be easy to enable]
exactly *that* is my point
it is
] On Behalf Of Fernando Lozano
Sent: Friday, July 12, 2013 5:50 PM
To: users@lists.fedoraproject.org
Subject: Proposal: Fedora should install with NETWORK [was IPv6] disabled by
default [was: Re: Disabling ipv6]
Hi Chris,
[As I changed the subject, let me clear: NETWORK [was: IPv6] still
Am 12.07.2013 18:44, schrieb Fernando Lozano:
[As I changed the subject, let me clear: IPv6 still compiled in the kernel.
Just the network interfaces configs
that should come with IPv6 disabled by default, if the user wants it should
be easy to enable]
exactly *that* is my point
it is
Am 12.07.2013 19:41, schrieb Fernando Lozano:
hence it would be enough if ifup would respect the configuration
i can not see just having IPv6 enabled means there is an IPv6 address
below - where is there ipv6 enabled? there is even a IPV6INIT=no
I have overlooked that. I'm not a Fedora
Am 12.07.2013 20:24, schrieb David G.Miller:
Fernando Lozano fernando at lozano.eti.br writes:
[As I changed the subject, let me clear: IPv6 still compiled in the
kernel. Just the network interfaces configs
SNIP
Perhaps Fedora is the wrong distribution for you.
The whole idea behind
no way to diable it on F19 with a F20 kernel
That being said, you and Fernando might wish to explore how to submit a
feature request to make enabling/disabling IPv6 easier and more intuitive.
Such a feature would be more in keeping with Fedora's goal of being a
technology incubator for what
Am 12.07.2013 23:33, schrieb Joe Zeff:
On 07/12/2013 02:17 PM, Fernando Lozano wrote:
1. Users should be able to disable IPv6. Today they can't and this is a
bug that hopefully will be solved soon. I think no one ever intended
IPv6 to be mandatory. ;-)
Actually, they can, but they have to
Am 13.07.2013 00:01, schrieb Joe Zeff:
On 07/12/2013 02:40 PM, Reindl Harald wrote:
so please read this and if possible please tell me the
magic where NM writes whatever in a unknown config file
to get rid of the ipv6-link-local address
Am 13.07.2013 02:34, schrieb David Beveridge:
On Sat, Jul 13, 2013 at 8:55 AM, Reindl Harald h.rei...@thelounge.net wrote:
and the answer comes back to exactly this port
https://en.wikipedia.org/wiki/Stateful_firewall
https://en.wikipedia.org/wiki/UDP_hole_punching
On some routers where
Am 13.07.2013 00:45, schrieb David Beveridge:
On Fri, Jul 12, 2013 at 4:43 AM, Joe Zeff j...@zeff.us wrote:
Can you give a practical example, please. I've no reason to disbelieve you,
but I've also never run across such a case and would like to see one.
This kind of depends on what
it can
do the right thing from a security standpoint.
there are environments with iptables-services for very
good reasons
If you are worried about security you should be raising bugs against
the firewall, not disabling IPv6 completely
no - if you are a sane admin you do not want *anything
On Sat, Jul 13, 2013 at 2:36 AM, Reindl Harald h.rei...@thelounge.net wrote:
this is childish
there is a difference between well aware ipv4 and
all sorts of firewalls and proctections configured
or startup in a network with ipv6 enabled without
knowing it or not configured at all
coming up
The question, should IPv6, be disabled by default, is asked of people of
the user list.
At the moment, I am on the fence.
Is there a compromise where, during the Fedora install, when the person is
asked for some network information and asked for time zone and root
password, can the question be
the firewall, not disabling IPv6 completely
no - if you are a sane admin you do not want *anything* enabled
which does not match the big picture of the environment
keep in mind that there are environemnts far outside the
single workstation and security is *always* the big picture
On 07/12/2013 09:36 AM, Reindl Harald wrote:
coming up with a link-local address inside a network
which is*pure ipv4* on a server means *any* random
device which does the same may bypass all your firewall
rule ssince iptables and ip6tables are two different
services
It might be a good idea,
Hi Tim,
Many ISPs will, also, have to buy new equipment. For some of them, at
great expense. They're not going to do that unless they have to. Some
have been avoiding it just because the technicalities of it are a new
nightmare that they don't want to have to deal with (new security
issues,
Once upon a time, Tim ignored_mail...@yahoo.com.au said:
How is your firewall set up? When you allow something for IPv4, does it
make a corresponding rule for IPv6, at the same time. Likewise, for if
you block something. And I mean that in two ways, dealing with ports,
and addresses. I may
Hi,
You keep talking about IPv6 security risks (over IPv4), but haven't
cited any.
While I don't know of security risks of IPv6, itself, there is this:
If you follow IPv6 on the net you should have found lots of articles
about this, and how it affects specially home users and SMBs. Here are
manner.
I propose we let the billion dollars companies do the hard work, but at
the same protect SMBs from IPv6. The Fedora Project could do their part
by disabling IPv6 by default.
Please see my message providing links about IPv6 security threats,
including recent slides (this year!) from
let the billion dollars companies do the hard work, but
at the same protect SMBs from IPv6. The Fedora Project could do
their part by disabling IPv6 by default.
Again, you are years too late. Fedora would be greatly regressing (and
falling far behind mainstream OSes) by disabling IPv6.
Please
Hi,
Tim:
If manufacturers and software programmers don't pull their fingers
out, we'll be faced with even more ISPs subjecting their clients to
NAT.
Fernando Lozano:
Would this be so bad? Most people at work have been working using NAT
for years. NAT increases security. Most internet users
Hi,
NAT is a fact today, has been for years, and people have been using
Bittorrent and Skype regardless.
And sometimes they (and other applications) don't work, because of
things like layered NAT.
Fix NAT issues instead of ditch it altogether.
For home users and SMBs, NAT is something that
Hi,
I took me time to recover this one, another more techinical content
about IPv6 security:
http://w3.antd.nist.gov/iip_pubs/Montgomery-ipv6-security-findings.doc
[]s, Fernando Lozano
Hi,
You keep talking about IPv6 security risks (over IPv4), but haven't
cited any.
While I don't know
5:50 PM
To: users@lists.fedoraproject.org
Subject: Proposal: Fedora should install with NETWORK [was IPv6] disabled by
default [was: Re: Disabling ipv6]
Hi Chris,
[As I changed the subject, let me clear: NETWORK [was: IPv6] still compiled in
the
kernel. Just the network interfaces configs
On Fri, 12 Jul 2013, j.witvl...@mindef.nl wrote:
If you got scared, why not keep the entire network down?
If you want it, sure you can enable it ;-)
That is what I do.
If I'm using my computer and need internet access,
I just click on the start-listening icon.
Said icon then becomes a
Hi,
If you got scared, why not keep the entire network down?
If you want it, sure you can enable it ;-)
By your reasoning, Fedora doesn't need to provide secure installation
defaults. Anyone could craft their own iptables rules and selinux
policies if they feed a need for better security.
Hi,
[As I changed the subject, let me clear: IPv6 still compiled in the kernel.
Just the network interfaces configs
that should come with IPv6 disabled by default, if the user wants it should be
easy to enable]
exactly *that* is my point
it is ridiculous that i bave a clearly static ipv4
Hi,
hence it would be enough if ifup would respect the configuration
i can not see just having IPv6 enabled means there is an IPv6 address
below - where is there ipv6 enabled? there is even a IPV6INIT=no
I have overlooked that. I'm not a Fedora developer, have to check if
IPV6INIT means what me
Fernando Lozano fernando at lozano.eti.br writes:
Hi,
[As I changed the subject, let me clear: IPv6 still compiled in the
kernel. Just the network interfaces configs
SNIP
Perhaps Fedora is the wrong distribution for you.
The whole idea behind Fedora is for it to be an engineering
On 12.07.2013 18:44, Fernando Lozano wrote:
…
So, ifconfig or ip or whatever would have to disable IPv6 for any
interface that does not having an explicit IPv6 address. I'd think it
would be easier to have the default eth*-cfg files and Network Manager
disable IPv6 unless the user tells them
of System V init scripts and firewalld as well
as many others.
That being said, you and Fernando might wish to explore how to submit a
feature request to make enabling/disabling IPv6 easier and more intuitive.
Such a feature would be more in keeping with Fedora's goal of being a
technology incubator
Hi,
Perhaps Fedora is the wrong distribution for you.
The whole idea behind Fedora is for it to be an engineering proving
ground where new technologies (like IPv6) are rolled out for real world
use.
Not all Fedora users work in the networking fields. Many are developers
who doesn't care about
Hi,
Have you checked https://bugzilla.redhat.com/show_bug.cgi?id=982740?
yes i have NETWORKING_IPV6=no since virtually forever
in /etc/sysconfig/network as well as IPV6INIT=false
in the interface configurations
this was most time ignored
I wasn't aware this bug was so serious. Please add
On 07/12/2013 02:17 PM, Fernando Lozano wrote:
1. Users should be able to disable IPv6. Today they can't and this is a
bug that hopefully will be solved soon. I think no one ever intended
IPv6 to be mandatory. ;-)
Actually, they can, but they have to take the time to configure the
connection
Hi joe,
On 07/12/2013 02:17 PM, Fernando Lozano wrote:
1. Users should be able to disable IPv6. Today they can't and this is a
bug that hopefully will be solved soon. I think no one ever intended
IPv6 to be mandatory. ;-)
Actually, they can, but they have to take the time to configure the
Hi,
On 12.07.2013 18:44, Fernando Lozano wrote:
…
So, ifconfig or ip or whatever would have to disable IPv6 for any
interface that does not having an explicit IPv6 address. I'd think it
would be easier to have the default eth*-cfg files and Network Manager
disable IPv6 unless the user tells
On Fri, Jul 12, 2013 at 4:43 AM, Joe Zeff j...@zeff.us wrote:
Can you give a practical example, please. I've no reason to disbelieve you,
but I've also never run across such a case and would like to see one.
This kind of depends on what iptables or firewall rules you have,
but for a moment
This kind of depends on what iptables or firewall rules you have,
but for a moment lets assume that you allow related connections on your
input.
What this means is to allow anything you connect outbound to to be
trusted to make a reverse connection back to you.
So you are therefore trusting
On 12.07.2013 23:53, Fernando Lozano wrote:
Hi,
On 12.07.2013 18:44, Fernando Lozano wrote:
…
So, ifconfig or ip or whatever would have to disable IPv6 for any
interface that does not having an explicit IPv6 address. I'd think it
would be easier to have the default eth*-cfg files and Network
On Sat, Jul 13, 2013 at 8:55 AM, Reindl Harald h.rei...@thelounge.net wrote:
and the answer comes back to exactly this port
https://en.wikipedia.org/wiki/Stateful_firewall
https://en.wikipedia.org/wiki/UDP_hole_punching
On some routers where port randomization is performed on a
per-outbound
) would be similar. Disabling IPv6 by default would
not make it harder IMHO to install binaries that require IPv6.
Defaults should suit most users. Not a minority that requires IPv6
enabled and how how to manage it.
Are you a representative of the majority of users? :)
Of course not. :-) I can only
On Wed, 2013-07-10 at 20:30 +0200, Timothy Murphy wrote:
It seems IPv6 sites are rather rare.
I tried about a dozen sites in Ireland,
including most universities,
but only two came up positive: my own maths.tcd.ie
and heanet.ie , which sort of runs the internet in Ireland.
Spare IPv4
, and their service is totally free.
- Oorspronkelijk bericht -
Van: Timothy Murphy [mailto:gayle...@alice.it]
Verzonden: Wednesday, July 10, 2013 07:07 PM W. Europe Standard Time
Aan: users@lists.fedoraproject.org users@lists.fedoraproject.org
Onderwerp: Re: Disabling ipv6
Fernando Lozano wrote:
Given
Hi Tim,
Many ISPs will, also, have to buy new equipment. For some of them, at
great expense. They're not going to do that unless they have to. Some
have been avoiding it just because the technicalities of it are a new
nightmare that they don't want to have to deal with (new security
issues,
Hi,
On 07/10/2013 09:14 PM, ferna...@lozano.eti.br wrote:
And while we work out IPv6 and improve it, all users should be
vulnerable to current IPv6 problems? Are they supposed to be guinea pigs
for ipv6 development?
No, of course not. I never said that everybody should have IPv6
active.
Once upon a time, Fernando Lozano ferna...@lozano.eti.br said:
Would this be so bad? Most people at work have been working using
NAT for years. NAT increases security. Most internet users don't
need to run servers.
NAT does NOT increase security. NAT is a combination of a stateful
firewall
Hi,
Would this be so bad? Most people at work have been working using
NAT for years. NAT increases security. Most internet users don't
need to run servers.
NAT does NOT increase security. NAT is a combination of a stateful
firewall with a packet mangler; the security comes from the firewall,
Once upon a time, Fernando Lozano ferna...@lozano.eti.br said:
If NAT prevents anyone from the internet to try to connect to my
computer, this is increased security. After all, don't we configure
firewalls exactly to prevent unwanted connections?
Use the firewall, ditch the NAT. NAT does not
On 07/11/2013 11:12 AM, Chris Adams wrote:
Use the firewall, ditch the NAT. NAT does not increase security over a
firewall. In some cases, NAT prevents a user from accessing the
Internet, rather than the other way around.
Can you give a practical example, please. I've no reason to
Once upon a time, Joe Zeff j...@zeff.us said:
On 07/11/2013 11:12 AM, Chris Adams wrote:
Use the firewall, ditch the NAT. NAT does not increase security over a
firewall. In some cases, NAT prevents a user from accessing the
Internet, rather than the other way around.
Can you give a
, please correct me if I am wrong, IPv4 will be used in
preference to IPv6, when both are available.
I am curious. Is there any recommended equivalent of speedtest.net for
IPv6?
I have mixed feelings about disabling IPv6 or leaving IPv6 enabled.
Each person must make this decision, on their own
On 07/11/2013 12:12 PM, Chris Adams wrote:
I've seen people with double-NAT issues before, where special
protocols like FTP or game console can't traverse the double-NAT.
I'm not quite sure what you mean here. Are you referring to having one
router behind another, with both using NAT? I
curious. Is there any recommended equivalent of speedtest.net for
IPv6?
I have mixed feelings about disabling IPv6 or leaving IPv6 enabled.
Each person must make this decision, on their own.
See RFC3484 [0], page 11, section Destination Address Selection.
Rule 7: Prefer native transport
On Thu, Jul 11, 2013 at 12:36:10PM -0700, Joe Zeff wrote:
On 07/11/2013 12:12 PM, Chris Adams wrote:
I've seen people with double-NAT issues before, where special
protocols like FTP or game console can't traverse the double-NAT.
I'm not quite sure what you mean here. Are you referring to
Once upon a time, Richard Sewill rsew...@gmail.com said:
I tried ping and ping6 anyway. This is NOT on an idle network.
Since ICMP and ICMPv6 are low-priority, the data is not very useful.
Also, since latency is only one component of throughput (and most
communications are not particularly
On 07/11/2013 02:47 PM, Chris Adams wrote:
No, when both are available, IPv6 takes precedence (in general for
modern applications that don't override the precedence); this is spelled
out in several RFCs (can't recall the numbers). I think there is a
global way to override this (maybe
On 07/11/2013 12:45 PM, staticsafe wrote:
Some ISPs deploy something known as CGN (Carrier-Grade NAT) due the the
IPv4 shortage, in which case if your gateway device at home is also
doing NAT, you have double NAT.
Gotcha. However, as my modem does NAT, I'm behind a double NAT. Maybe
I'm
Tim:
If manufacturers and software programmers don't pull their fingers
out, we'll be faced with even more ISPs subjecting their clients to
NAT.
Fernando Lozano:
Would this be so bad? Most people at work have been working using NAT
for years. NAT increases security. Most internet users
Allegedly, on or about 11 July 2013, Chris Adams sent:
You keep talking about IPv6 security risks (over IPv4), but haven't
cited any.
While I don't know of security risks of IPv6, itself, there is this:
How is your firewall set up? When you allow something for IPv4, does it
make a
-Original Message-
From: users-boun...@lists.fedoraproject.org
[mailto:users-boun...@lists.fedoraproject.org] On Behalf Of Fernando Lozano
Sent: Tuesday, July 09, 2013 8:28 PM
To: Community support for Fedora users
Cc: Tim
Subject: Re: Disabling ipv6
Hi,
On Tue, 2013-07-09 at 10:58
proxy
*OUTSIDE* of my ISP). So...
Somtimes we techinicians give advice based on an ideal world. :-) But on
the real world disabling IPv6 everywhere is the *right* thing to do for
many companies. if you don't have the need, don't have the knowledge and
your hardware/software doesn't
Hi,
disabling IPv6 everywhere is the *right* thing to do for
many companies. if you don't have the need, don't have the
knowledge and
your hardware/software doesn't support it well, IPv6 is not only
overhead with no added value but also may present a significant
security
risk
Fernando Lozano wrote:
Given IPv6 current state, where many vulnerabilities are related to
autoconfiguration for home and small networks, and given the fact many
ISPs still doesn't support IPv6 at all, IMHO the default setting should
be IPv6 disabled. Any end user or sysadmin should take
Once upon a time, Timothy Murphy gayle...@alice.it said:
As a matter of interest, how can one tell if an ISP supports IPv6?
This is slightly OT, but I often think I'd like to try using ipv6,
but when I ask I'm given a purely theoretical reply,
which I don't understand, usually involving SixXS.
I also would like to try using IPv6 periodically.
It's only recently, my local router had a firmware upgrade to support IPv6.
The default setting for IPv6 within the router is still Disabled.
When I change this setting to Auto Detect,
the router gets an IPv6 address from the ISP.
The router
Bill Oliver wrote:
Would test-ipv6.com or http://ipv6-test.com/validate.php give you the
information you want? Or are you talking about a network you are not
connected to...
Thanks very much, very useful.
The second URL seemed to give an answer for any site I tried.
It seems IPv6 sites are
Hi,
The last time I did this, I found IPv6 had a little more latency than
IPv4.
After deciding the ISP and router were still not there, I disabled IPv6.
I haven't tried this recently, but this thread makes me want to try again.
Hopefully the router has better firmware and the ISP IPv6
On 07/10/2013 06:38 PM, Fernando Lozano wrote:
Bottom line: you won't use IPv6 because it's better. We may find out in
the future it's actually much worse, but we will only know when it's as
widely use as IPv4. We all know IPv6 is inevitable given the expansion
of the Internet, but IPv6 is not
yourself took care of disabling IPv6, but how many computer
users will know they should? And how many Fedora user will know?
Installation defaults should serve the majorty needs, not the IPv6
development agenda.
[]s, Fernando Lozano
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe
On 07/10/2013 09:14 PM, ferna...@lozano.eti.br wrote:
And while we work out IPv6 and improve it, all users should be
vulnerable to current IPv6 problems? Are they supposed to be guinea pigs
for ipv6 development?
No, of course not. I never said that everybody should have IPv6 active.
What I
Hi all,
Once in a while I see people suggesting the disabling of IPv6 to cope with some
issue.
My I _kindly_ ask not to do that anymore?
Even though such trick might take away the symptoms for you and me, it is a
technical overkill and only tackles the symptoms.
Lately I read a message on
On Tue, 9 Jul 2013 10:58:59 +0200
j.witvl...@mindef.nl wrote:
My I _kindly_ ask not to do that anymore?
Even though such trick might take away the symptoms for you and me, it is a
technical overkill and only tackles the symptoms.
My main symptom is the single longest delay during the
mostly
On Tue, 2013-07-09 at 10:58 +0200, j.witvl...@mindef.nl wrote:
Once in a while I see people suggesting the disabling of IPv6 to cope
with some issue.
My I _kindly_ ask not to do that anymore?
Even though such trick might take away the symptoms for you and me, it
is a technical overkill and
Am 09.07.2013 10:58, schrieb j.witvl...@mindef.nl:
Hi all,
Once in a while I see people suggesting the disabling of IPv6 to cope with
some issue.
My I _kindly_ ask not to do that anymore?
Even though such trick might take away the symptoms for you and me, it is a
technical overkill
overkill and only tackles the symptoms.
In my case, I have a completely IPv4 network, and a complete
impossibility to do IPv6 over the internet (I'd need an IP6 to 4 proxy
*OUTSIDE* of my ISP). So...
Somtimes we techinicians give advice based on an ideal world. :-) But on
the real world disabling
on an ideal world. :-) But on
the real world disabling IPv6 everywhere is the *right* thing to do for
many companies. if you don't have the need, don't have the knowledge and
your hardware/software doesn't support it well, IPv6 is not only
overhead with no added value but also may present a significant
89 matches
Mail list logo
