On 2014/04/29 22:25, Paul de Weerd wrote: > Disabling IPv6 should not be necessary: it shouldn't be enabled by > default, even link-local addresses.
If doing this, then we need a way to enable link-local, like the opposite of "ifconfig $if -inet6". Current process to re-enable just the link-local is to configure some other v6 address and delete it again, which is acceptable when the option to remove the link-local is just used by people who explicitly don't want v6 at all, but is a bit too ugly if it's something that people need to use just to enable v6. I also wonder about blocking all-nodes mcast in the sample pf.conf... (personally there are places I find them very useful but I think this is a saner default - it's always fun doing a node-name query on conference wifi/etc). Index: pf.conf =================================================================== RCS file: /cvs/src/etc/pf.conf,v retrieving revision 1.53 diff -u -p -r1.53 pf.conf --- pf.conf 25 Jan 2014 10:28:36 -0000 1.53 +++ pf.conf 29 Apr 2014 21:35:03 -0000 @@ -19,6 +19,8 @@ set skip on lo block return # block stateless traffic pass # establish keep-state +block in inet6 proto icmp6 to ff02::1 # block all-nodes multicast queries + # rules for spamd(8) #table <spamd-white> persist #table <nospamd> persist file "/etc/mail/nospamd" > Why oh why can I bring up an interface and have attackers probe me > over IPv6 on a default OpenBSD install while they cannot do so over > IPv4? Why is IPv6 more enabled than IPv4? IPv4 takes configuration > before it will work, IPv6 works without it. I believe that's a > problem that should be fixed before changing other defaults. > > If I want IPv6 (static / RS / DHCPv6 / whatever), I should configure > my machine with it .. just like with IPv4 (static / DHCP / whatever). > Fuck this bullshit. Please note that this is the protocol where many > a developer will complain about how it's more complex than IPv4. > > Paul 'WEiRD' de Weerd > > PS: I tend to want IPv6 everywhere - I'm just opposing this STUPID > default in OpenBSD. My thinking is that *if* someone has taken steps to enable v6, then programs should try to use it for comms where possible. "family inet6 inet4" is too blunt and affects people who don't want to touch v6. But if we can be smarter about only using v6 where people have made that decision (i.e. AI_ADDRCONFIG), preferring it is a good way to get the code better exercised and bugs found.
