On Sat, May 03, 2014 at 10:03:30AM +0200, Paul de Weerd wrote: > On Fri, May 02, 2014 at 11:20:38PM +0200, Jérémie Courrèges-Anglas wrote: > | > I'm not referring to SLAAC. I'm referring to addresses that are > | > configured on interfaces without the user even requesting them. > | > link-local addresses, specifically. > | > | I was actually answering your question about link-local addresses. > > Fair enough, that wasn't clear to me. > > | > Bring up an interface and you > | > have IPv6. Accessible (and attackable) by everyone on the local > | > network (i.e., not firewalled by default). > | > | If you have no use for this interface, why do you bring it up? Why do > | you have services listening on it, be it an IPv4 address or an IPv6 > | link-local one? > > This is the default behavior from the installer when I install my > machine and pick 'none' for IPv6 addresses, but (e.g.) DHCP for v4. I > have an SSHD listening on link-local by default. > > | > Why do you expect this to > | > work without specific configuration (either setting up a static > | > address, configuring SLAAC, by using DHCPv6, or whatever means)? > | > | You know why. This is how v6 works, and I heard OpenBSD made a pretty > | good job at making it work in a pretty safe way. > > I know why, I'm challenging the status quo. And yes, I prefer it to > be OpenBSD, but it still goes against the OpenBSD philosophy. > > | > | > I believe your expectation here is wrong (although it is the current > | > | > state of IPv6 on OpenBSD). Can you explain why you disagree? > | > | > | > | Not really, I'm puzzled by your question. It works and has always > | > | worked but I shouldn't expect them to work... > | > > | > I'm puzzled by the fact it has always been this way in OpenBSD. It > | > goes against the OpenBSD philosophy. > | > | Maybe it is, or maybe not. I am not the one that says that (almost?) > | all the IPv6 implementations out there, running ND by default, are > | wrong. What's the actual impact? What are the risks? How do you > | evaluate them? How much may someone be surprised by this fact? > > I think you *are* the one to say that, together with a comunity that > values sane defaults over adhering to bad standards. If we, as a > group, move in this direction, we can set the example. How many > systems are running telnetd these days? This service used to be > enabled by default on many systems, look at history to see how great > an idea that was. It is OK to question the status quo. > > Users may be unaware they are running services accessible over IPv6, > forgetting to do proper filtering in pf, when they specify "none" for > IPv6 addresses in the installer. The risks seem obvious to me, ssh > scanners present the bulk of logging data on my machines that have ssh > open for the world, > > | > I'll try to rephrase the > | > question: > | > > | > Why do you expect that you are accessible on IPv6 > | > when you configure an interface with IPv4? You > | > don't expect to get IPv4 connectivity when you > | > configure IPv6, do you? > | > | Same answer. The current practice is to run ND and configure > | link-local addresses by default, yet I have to explain why this > | assumption should be valid. This is tiresome. > > "Everybody does it" is an argumentum ad populum. It's not right > because all systems do this. All systems do this because some RFC > told them to and apparently nobody considered the downsides (or they > dismissed them). > > I'm arguing it should be different since it is unexpected behavior > (keep in mind that you say 'none' to the "IPv6 address for em0? (or > 'rtsol' or 'none')" question in the installer - a link-local address > is not "none"), it goes against the OpenBSD philosophy and it exposes > an extra attack surface.
Just to remind everybody here. The last time we had to bump the remote hole counter in OpenBSD was because of IPv6. Because of that I'm all for not having IPv6 link local addresses set by default. It will also save us from some troubles with unnumbered interfaces (e.g. as part of a bridge(4)) that get an IPv6 address by default unless -inet6 is used. -- :wq Claudio
