[BALUG-Admin] IPv6 (& linuxmafia.com)

[Michael Paoli]

Hmmm, was thinking to perhaps take this else-list (it's more
general that "just" BALUG administrivia) ... but I'll probably
put a mention/pointer on the "talk" list a bit later,
as there's mix of BALUG administrivia stuff ... and also some
Linux tech stuff that may be of more general interest, among
several of these BALUG-Admin list postings.

Anyway, my comment/reply bits in-line below.

> From: "Rick Moen" <rick@linuxmafia.com>
> Subject: Re: [BALUG-Admin] DNS slaves for BALUG?  :-) ... IPv6 issue  
> somewhere between master and slaves?
> Date: Sat, 20 Feb 2016 19:59:11 -0800

> Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
>
>> Quite likely it's lack of IPv6 or some other IPv6 issue
>> on slave end(s)....
>
> Quite so.
>
> I have a very vague recollection of (possibly) having deliberately
> disabled IPv6 in the system network stack -- on the excellent grounds
> that I'm making no use of it, and network functions you're not using
> should be disabled as part of a comprehensive security policy.

Yes, IPv6 can be quite disabled on Linux operating systems, if one so
chooses.
In what bit I observed (have a post to put up in response to my earlier
posting), doesn't look like IPv6 was disabled on linuxmafia.com - nor is
it explicitly enabled.  That gives one relatively default, dual stack,
have link-local IPv6 (can talk to other IPv6 on same subnet/LAN), but
no routable IPv6 - a semi-reasonable default compromise between absolute
security and absolute convenience.  If even more fully default (and
possibly also newer), it might auto-configure for routable IPv6 - if
that were offered by resources on the network - but I'm guestimating
that wouldn't apply to linuxmafia.com., as it's more generally
configured for static IP(s) on physical interfaces - so likely nothing
there set/configured to auto-configure ... beyond possibly the
non-routable link-local.

Short of totally disabling IPv6, a step that might be more useful - instead
totally disable IPv6 on any and all physical interfaces, but leave the IPv6
stack in place.  Two specific advantages I think of for that - in addition
to giving most of the security benefits of totally disabling IPv6.
Fair bit more convenience - much software these days, and especially
for Linux, will presume the host is dual-stack - even if it doesn't have
any IPv6 Internet routable connectivity (or ditto for IPv4).  Much such
software will malfunction if installed/used - at least with its default
configuration, if the host doesn't even have IPv6 stack enabled - at least
until one reconfigures such software to completely and totally not use IPv6
at all.
Another advantage of not disabling the IPv6 stack totally - future-testing
and development, etc.  E.g. one could do purely local testing of IPv6 -
including also (if/when applicable) between virtual machine and physical
host.  That could be advantageous in developing/testing IPv6 before
rolling it out "for real" to Internet accessible routable usage of IPv6.

> FWIW, I cannot find where I did that (if I did that).  I find nothing in
> /etc/sysctl.conf (there being nothing in /etc/sysctl.d/ , and nothing in
> /etc/modprobe.d/aliases.conf .

Yes ... I think (if I recall correctly) in newer kernels, IPv6 may no longer
be a module? - but I'm not certain about that (reminds me of another
point on modules - but for another posting and list/thread).
In any case, through the /proc filesystem (or /sys?) and
/etc/sysctl.conf or the like, one can, among other things, disable IPv6,
including totally and completely, or on per-interface basis.
I'm not sure, but there may also be means/options, to have it default
to being disabled, yet then allow it to be enabled on a per-interface
basis.  And keep in mind interfaces may be physical, or virtual (e.g.
loopback interface, interfaces between physical and virtual machines, etc.)

> Actually, /etc/modprobe.d/aliases.conf.dpkg-old has 'alias net-pf-10
> off' , but /etc/modprobe.d/aliases.conf does not.
>
> If it turns out that this is an IPv6 issue on slave end, then I'd
> suggest leaving it until my linuxmafia.com rebuild.

Yep, probably mostly easier to not muck about with IPv6 on linuxmafia.com
until it's more current on the operating system software version updates
(e.g. to state that's both well supported on security updates and also will
continue to be supported for many months or more to come).

> I'm frankly, really not sold on the utility of IPv6 for the
> linuxmafia.com host at this time.  There are no relevant use-cases for
> which it's required.  Therefore, I might _even_ deliberately disable it
> on the rebuilt host (whether it is on the current host or not).

Context.  :-)  Yes, I agree, I see no requirement or (pressing?) need for
IPv6 on linuxmafia.com.  The answer to same question may be at least
somewhat different in 6 months, a year, 2 years, 5 years, ... but I
see no rush or pressing need to bring IPv6 to linuxmafia.com.

> That is, I tend to strongly concur with the standard advice that if you
> aren't using a network service, you should shut it off.  IPv6 is a
> network service (in effect, or an additional flavour of existing
> services).  As
> http://www.esecurityplanet.com/security-how-to/Linux-Hardening---Quick-Wins-3938786.htm
> puts it:
>
>   Disable IPv6: Unless you know that you need it, disabling IPv6 is a
>   good idea as it is hard to monitor, making it attractive for hackers,
>   and it's also hard to spot security vulnerabilities in the protocol.

Well, I think I'd be inclined to temper and update a statement like that.
While still quite true about "unneeded network services",
A) IPv6  is increasingly in use - "needed" may be just a matter of time
B) "hard to monitor" and such - I think many/most of those objections can
    probably be dispensed with at this time.  I don't think monitoring IPv6
    is really any harder than doing likewise for IPv4 ... but yes, sure, it
    is "one more thing" to monitor, etc.  "Of course" some day, getting rid of
    "one more thing" to monitor, may well entail turning off IPv4.  ;->
    ... but that day is still some fair ways off yet (guestimating maybe about
    a decade or so?)

Random: already encountering some environments that are mandating IPv6 only -
at least for anything at/to/beyond physical interface and possibly  
also link-local.
Of course one is likely also aware, getting Internet routable IPv4  
addresses is
becoming increasingly difficult/costly.  I'll also mention that NAT/SNAT
tends to complicate a lot of things (like troubleshooting, and security and
related accountability) - with IPv6 one mostly can kiss NAT/SNAT goodbye.