From owner-freebsd-net@freebsd.org  Thu Feb 28 08:00:54 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DC77E15208D7
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu, 28 Feb 2019 08:00:53 +0000 (UTC) (envelope-from hrs@FreeBSD.org)
Received: from mail.allbsd.org (mx-int.allbsd.org [IPv6:2001:2f0:104:e002::7])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "mail.allbsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 2E88B85691;
 Thu, 28 Feb 2019 08:00:53 +0000 (UTC) (envelope-from hrs@FreeBSD.org)
Received: from mail-d.allbsd.org (p2452109-ipngn10801funabasi.chiba.ocn.ne.jp
 [180.13.106.109]) (authenticated bits=56)
 by mail.allbsd.org (8.15.2/8.15.2) with ESMTPSA id x1S80PuH075121
 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
 (Client CN "/CN=mail.allbsd.org", Issuer
 "/C=US/O=Let's+20Encrypt/CN=Let's+20Encrypt+20Authority+20X3"); 
 Thu, 28 Feb 2019 17:00:36 +0900 (JST) (envelope-from hrs@FreeBSD.org)
Received: from alph.d.allbsd.org (alph.allbsd.org [192.168.0.10])
 by mail-d.allbsd.org (8.15.2/8.15.2) with ESMTPS id x1S80P6d025320
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Thu, 28 Feb 2019 17:00:25 +0900 (JST) (envelope-from hrs@FreeBSD.org)
Received: from localhost (localhost [[UNIX: localhost]]) (authenticated bits=0)
 by alph.d.allbsd.org (8.15.2/8.15.2) with ESMTPA id x1S8078d025317;
 Thu, 28 Feb 2019 17:00:08 +0900 (JST) (envelope-from hrs@FreeBSD.org)
Date: Thu, 28 Feb 2019 16:47:21 +0900 (JST)
Message-Id: <20190228.164721.696461235015072338.hrs@allbsd.org>
To: rgrimes@FreeBSD.org, freebsd@pdx.rh.CN85.dnsmgr.net
Cc: bz@FreeBSD.org, freebsd-net@FreeBSD.org, rmacklem@uoguelph.ca
Subject: Re: use of #ifdef INET and #ifdef INET6 in the kernel sources
From: Hiroki Sato <hrs@FreeBSD.org>
In-Reply-To: <201902280158.x1S1wi7s053904@pdx.rh.CN85.dnsmgr.net>
References: <8EDE90B3-0C33-47B5-88D8-964B131AEE2E@FreeBSD.org>
 <201902280158.x1S1wi7s053904@pdx.rh.CN85.dnsmgr.net>
X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-Mailer: Mew version 6.8 on Emacs 25.3
Mime-Version: 1.0
Content-Type: Multipart/Signed; protocol="application/pgp-signature";
 micalg=pgp-sha1;
 boundary="--Security_Multipart(Thu_Feb_28_16_47_21_2019_202)--"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender DNS name whitelisted, not delayed by milter-greylist-4.6.2
 (mail.allbsd.org [133.31.130.41]); Thu, 28 Feb 2019 17:00:43 +0900 (JST)
X-Spam-Status: No, score=-97.4 required=13.0 tests=CONTENT_TYPE_PRESENT,
 QENCPTR1,UNPARSEABLE_RELAY,URIBL_SC2_SURBL,URIBL_XS_SURBL,
 USER_IN_WHITELIST autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mx.allbsd.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 08:00:54 -0000

----Security_Multipart(Thu_Feb_28_16_47_21_2019_202)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

"Rodney W. Grimes" <freebsd@pdx.rh.CN85.dnsmgr.net> wrote
  in <201902280158.x1S1wi7s053904@pdx.rh.CN85.dnsmgr.net>:

fr> >
fr> > I know both of these groups still do exist.
fr> >
fr> > Also every code not compiled in is not an attack surface, where you
fr> > think it?s executed or not.
fr>
fr> This last reason is/was a prevelent one for me for a long time,
fr> diven ipv6 is trying to autoconfigure stuff and interfaces
fr> just get a link local address that is reachable that I would
fr> have to secure.  Its was/is a royal pita to do that for lots of
fr> machines.
fr>
fr> Am I missing something in there is just some way to turn off the
fr> link local ipv6 address?

 There is a way to disable automatic link-local address configuration
 but completely turning it off prevents NDP from working.  Having a
 knob to restrict L3 communication over link-local addresses may be a
 good compromise.  At this moment, a packet filter is required to do
 so.

-- Hiroki

----Security_Multipart(Thu_Feb_28_16_47_21_2019_202)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iEYEABECAAYFAlx3kgkACgkQTyzT2CeTzy236gCgsl4rU2ULcUkV1MKS1mg3TMcy
zFsAn3uGZUDvSBstYlT/kfach0RIYnOV
=hL0g
-----END PGP SIGNATURE-----

----Security_Multipart(Thu_Feb_28_16_47_21_2019_202)----