From owner-freebsd-rc@FreeBSD.ORG Mon Oct 5 09:47:25 2009 Return-Path: Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1EB6106568D for ; Mon, 5 Oct 2009 09:47:25 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 616C18FC13 for ; Mon, 5 Oct 2009 09:47:25 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 34B5E41C729; Mon, 5 Oct 2009 11:30:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id vEWQZ1L3bTzE; Mon, 5 Oct 2009 11:30:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 80DBA41C71D; Mon, 5 Oct 2009 11:30:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id C57A54448E6; Mon, 5 Oct 2009 09:25:19 +0000 (UTC) Date: Mon, 5 Oct 2009 09:25:18 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: John Hay In-Reply-To: <20091005055806.GB58246@zibbi.meraka.csir.co.za> Message-ID: <20091005091708.J26486@maildrop.int.zabbadoz.net> References: <200909122222.n8CMMV3d099311@svn.freebsd.org> <4AB15FCE.70505@FreeBSD.org> <20090920.224018.16368211.hrs@allbsd.org> <20091005.123427.227628092.hrs@allbsd.org> <20091005055806.GB58246@zibbi.meraka.csir.co.za> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-current@FreeBSD.org, Hiroki Sato , freebsd-rc@FreeBSD.org Subject: Re: nd6 change and rc.d/network_ipv6 -> rc.d/netif integration (was: Re: svn commit: r197145 - in head: etc/defaults share/man/man5) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Oct 2009 09:47:26 -0000 On Mon, 5 Oct 2009, John Hay wrote: Hi, > On Mon, Oct 05, 2009 at 12:34:27PM +0900, Hiroki Sato wrote: >> Hi, >> >> I would like your comments about merging the network_ipv6 -> netif >> integration to stable/8. The issue of this rc.d script change is it >> involves user-visible changes in rc.conf(5) variables as described in >> UPDATING. >> >> I still want to do so before 8.0-R because the ND6 change in -CURRENT >> needs updating IPv6-related rc.d scripts first. While the ND6 change >> is not harmful from viewpoint of compatibility because basically it >> just converts a global knob to a per-interface flag, handling it in >> the rc.d scripts needs a kind of overhaul of rc.d/network_ipv6 and >> rc.d/netif. >> >> The necessary changes have already been committed into -CURRENT. It >> displays a warning to inform the users what is old in the rc.conf if >> the user uses rc.d variables that have been changed, and at the same >> time it keeps backward compatibility so that the old variables also >> work. So, I think the impact is small enough, and this sort of >> visible changes should be included in the .0 release rather than in >> the middle of future 8.x releases. >> >> The patch for stable/8 can be found at: >> >> http://people.freebsd.org/~hrs/ipv6_stable8.20091005.diff >> >> This includes both of the ND6 kernel change and the rc.d script >> change. If there is an objection from someone here I will put off >> the merge until after 8.0-R. > > Is there a good reason why we still ship with ipv6 off by default? Most > others seem to ship with ipv6 on. At least Windows, most linux flavours > and Mac OS X which make out the rest of the machines on our network here > at Meraka Institute. > > One thing that I have against the way the stuff in -current is done at > the moment, is that it seems to be a lot more work to just get ipv6 to > work. Either I did things wrong or we are taking a step backward. Make > no mistake, I like the idea of being able to control it per interface, > but it seems that you have to enable it per interface with a long string > for each... I would rather that it is enabled everywhere by default and > then you disbale it where you do not want it. link-local had been enabled by default in the past and I am not sure if we had a SA or EN for that or that it was just preemptively disabled. The problem is that if it is enabled by default you are exposing yourself to others on the same network. That is of course especially bad if you are in untrusted environments like conferences, ... or on a public LAN. If we'd support IPv4 link-local addresses by default we would have to apply the same logic there. I am not sure about OSX but at least Windows has a firewall set to deny any unrelated incoming things by default these days. Just because others haven't yet (really) thought about the problems doesn't mean they aren't there. If you want to use IPv4 you either add an address or start DHCP or .. and you have to configure that. If you want IPv6, you configure that as well. You shall not have anything enbaled by default that people can use to attack you and you don't know about because you didn't configure. While (we) IPv6 people know that it would be there a lot of people are still totally unaware of IPv6 and they would be surprised. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing.