View previous topic :: View next topic |
Author |
Message |
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2960 Location: Edge of marsh USA
|
Posted: Wed Jan 19, 2022 5:09 am Post subject: Would USE=-ipv6 be worthwhile and safe? |
|
|
My OpenRC desktop profile includes USE=ipv6 by default. That's "default/linux/amd64/17.1/desktop (stable)."
I don't see myself using ipv6 for many years. Would it be safe and worth rebuilding 50 or so packages add USE=-ipv6 to my /etc/portage/make.conf?
I'm thinking less is better, right? Are there a downsides/tradeoffs? _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4125 Location: Bavaria
|
Posted: Wed Jan 19, 2022 1:51 pm Post subject: Re: Would USE=-ipv6 be worthwhile and safe? |
|
|
figueroa wrote: | I don't see myself using ipv6 for many years. Would it be safe and worth rebuilding 50 or so packages add USE=-ipv6 to my /etc/portage/make.conf? |
I have done this before many years and IPv6 still is deactivated in my systems (because I dont need/want it).
figueroa wrote: | I'm thinking less is better, right? |
This is true - especially from a security point of view. (see also: https://en.wikipedia.org/wiki/IPv6#Security )
figueroa wrote: | Are there a downsides/tradeoffs? |
I didnt had any problems so far. In my systems I have also IPv6 disabled in my kernel configurations. If you dont want to change your kernel configuration, there is another way to disable it: https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters
It has also an advantage if IPv6 is disabled: Your Firewall configuration is much easier |
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1652
|
Posted: Wed Jan 19, 2022 2:00 pm Post subject: |
|
|
Personally, I rather recommend setting ipv6.disable=1 to the kernel parameters so the kernel will just say there is no support.
This prevents potential issues in software that just are not tested very well. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Thu Jan 20, 2022 1:06 am Post subject: |
|
|
Be aware that some programs may require it, even if they install without it. I can't find a reference now, but I was unable to configure postgresql after installing it. My recollection is that it uses IPv6 internally and (inferring) it uses the IPv6 space that encapsulates IPv4 addresses. I wasn't about to reconfigure a kernel with IPv6 support solely for that. I installed mariadb instead. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2960 Location: Edge of marsh USA
|
Posted: Thu Jan 20, 2022 4:25 am Post subject: |
|
|
Thank you for the responses. I think I WILL.
Can I disable IPV6 in the kernel config by just changing CONFIG_IPV6=m (currently) to "not set." _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4125 Location: Bavaria
|
Posted: Thu Jan 20, 2022 12:03 pm Post subject: |
|
|
figueroa wrote: | Can I disable IPV6 in the kernel config by just changing CONFIG_IPV6=m (currently) to "not set." |
Yes (if you do it with "make menuconfig"; all depended modules will be disabled also; take a look into the crypto section before and after you have disabled IPv6 ). |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 811
|
Posted: Thu Jan 20, 2022 3:28 pm Post subject: |
|
|
If you somehow need IPv6 enabled in your kernel and still don't want to use it you can always use nftables of ip6tables to block it completely. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
Perfect Gentleman Veteran
Joined: 18 May 2014 Posts: 1246
|
Posted: Thu Jan 20, 2022 4:05 pm Post subject: |
|
|
It is definitely safe. |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2960 Location: Edge of marsh USA
|
Posted: Fri Jan 21, 2022 9:36 pm Post subject: |
|
|
pietinger wrote: | figueroa wrote: | Can I disable IPV6 in the kernel config by just changing CONFIG_IPV6=m (currently) to "not set." |
Yes (if you do it with "make menuconfig"; all depended modules will be disabled also; take a look into the crypto section before and after you have disabled IPv6 ). |
Easier done that said. In the newly stable sys-kernel/gentoo-sources-5.10.93, deselecting IPV6 under Networking Options using menuconfig, as asked above, deselected ALL IPV6 related items in the resulting .config. It's compiling now. I'm concurrently also running a world update implementing USE=-ipv6 globally, affecting 44 installed packages. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Fri Jan 21, 2022 10:55 pm Post subject: |
|
|
figueroa wrote: | pietinger wrote: | figueroa wrote: | Can I disable IPV6 in the kernel config by just changing CONFIG_IPV6=m (currently) to "not set." |
Yes (if you do it with "make menuconfig"; all depended modules will be disabled also; take a look into the crypto section before and after you have disabled IPv6 ;-) ). |
Easier done that said. In the newly stable sys-kernel/gentoo-sources-5.10.93, deselecting IPV6 under Networking Options using menuconfig, as asked above, deselected ALL IPV6 related items in the resulting .config. It's compiling now. I'm concurrently also running a world update implementing USE=-ipv6 globally, affecting 44 installed packages. | What was the before and after difference in the crypto section ? _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2960 Location: Edge of marsh USA
|
Posted: Sat Jan 22, 2022 2:44 am Post subject: |
|
|
pjp wrote: | ...
What was the before and after difference in the crypto section ? |
The "the crypto section" is ambiguous to me. Let me know if you are looking for a named section in particular. Let me know if the following doesn't answer your question. I'll be happy to answer some other way:
Code: | $ grep -i ipv6 .config.old
CONFIG_IPV6=m
# CONFIG_IPV6_ROUTER_PREF is not set
# CONFIG_IPV6_OPTIMISTIC_DAD is not set
# CONFIG_IPV6_MIP6 is not set
# CONFIG_IPV6_ILA is not set
# CONFIG_IPV6_VTI is not set
CONFIG_IPV6_SIT=m
# CONFIG_IPV6_SIT_6RD is not set
CONFIG_IPV6_NDISC_NODETYPE=y
# CONFIG_IPV6_TUNNEL is not set
# CONFIG_IPV6_MULTIPLE_TABLES is not set
# CONFIG_IPV6_MROUTE is not set
# CONFIG_IPV6_SEG6_LWTUNNEL is not set
# CONFIG_IPV6_SEG6_HMAC is not set
# CONFIG_IPV6_RPL_LWTUNNEL is not set
# IPv6: Netfilter Configuration
# CONFIG_NF_SOCKET_IPV6 is not set
# CONFIG_NF_TPROXY_IPV6 is not set
# CONFIG_NF_DUP_IPV6 is not set
CONFIG_NF_REJECT_IPV6=m
CONFIG_NF_LOG_IPV6=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
# end of IPv6: Netfilter Configuration
CONFIG_NF_DEFRAG_IPV6=y |
vs
Code: | $ grep -i ipv6 .config
# CONFIG_IPV6 is not set |
_________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4125 Location: Bavaria
|
Posted: Sat Jan 22, 2022 9:21 am Post subject: |
|
|
pjp wrote: | What was the before and after difference in the crypto section ? |
With IPv6 there is enabled as default also IPSEC AH and ESP. These selects some modules in Cryptographic API. After disabling IPv6 completely you will not have these enabled anymore:
Code: | -*- Cryptographic API --->
-*- Cryptographic algorithm manager
-*- Software async crypto daemon
-*- Authenc support
-*- GCM/GMAC support
-*- Sequence Number IV Generator
-*- Encrypted Chain IV Generator
-*- CTR support
-*- HMAC support
-*- GHASH hash function |
|
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2960 Location: Edge of marsh USA
|
Posted: Sat Jan 22, 2022 4:26 pm Post subject: |
|
|
pietinger wrote: | pjp wrote: | What was the before and after difference in the crypto section ? |
With IPv6 there is enabled as default also IPSEC AH and ESP. These selects some modules in Cryptographic API. After disabling IPv6 completely you will not have these enabled anymore:
Code: | -*- Cryptographic API --->
-*- Cryptographic algorithm manager
-*- Software async crypto daemon
-*- Authenc support
-*- GCM/GMAC support
-*- Sequence Number IV Generator
-*- Encrypted Chain IV Generator
-*- CTR support
-*- HMAC support
-*- GHASH hash function |
|
I have none of these before or after with gentoos-sources-5.10.88 or 93. _________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
sam_ Developer
Joined: 14 Aug 2020 Posts: 1678
|
Posted: Sat Jan 22, 2022 9:09 pm Post subject: |
|
|
grknight wrote: | Personally, I rather recommend setting ipv6.disable=1 to the kernel parameters so the kernel will just say there is no support.
This prevents potential issues in software that just are not tested very well. |
Agreed, this would be my recommendation if you want to disable IPv6.
I commented on this on the gentoo-dev ML too with a bit more detail. |
|
Back to top |
|
|
psycho Guru
Joined: 22 Jun 2007 Posts: 534 Location: New Zealand
|
Posted: Sat Jan 22, 2022 10:30 pm Post subject: |
|
|
I've had Code: | # CONFIG_IPV6 is not set |
for many years now (probably always) and don't recall any problems. I also have -ipv6 in make.conf. What pjp said triggered a vague memory of something requiring ipv6 to function properly (and something weird...not like a network tool but something I wasn't expecting to need it) but it's obviously not an issue now...maybe some unnecessary dependencies on ipv6 have been fixed in some packages. Anyway, my boxes are perfectly happy without any mention of it. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Sun Jan 23, 2022 12:41 am Post subject: |
|
|
pietinger wrote: | pjp wrote: | What was the before and after difference in the crypto section ? |
With IPv6 there is enabled as default also IPSEC AH and ESP. These selects some modules in Cryptographic API. After disabling IPv6 completely you will not have these enabled anymore:
Code: | -*- Cryptographic API --->
-*- Cryptographic algorithm manager
-*- Software async crypto daemon
-*- Authenc support
-*- GCM/GMAC support
-*- Sequence Number IV Generator
-*- Encrypted Chain IV Generator
-*- CTR support
-*- HMAC support
-*- GHASH hash function |
| At some point, I disabled IPv6. I do think I remember turning on some crypto options, but I don't recall what. I'm currently still using a 4 series kernel. Are any of the options you list particularly needed for commonly installed software? I'm keeping an eye out for things I "should" do when I upgrade to 5. I'm thinking of starting clean and following the kernel security project / guide (I forget the name) very closely. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21602
|
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4125 Location: Bavaria
|
Posted: Sun Jan 23, 2022 1:25 am Post subject: |
|
|
pjp wrote: | Are any of the options you list particularly needed for commonly installed software? |
I dont know any. The most used (beside IPSEC) are: fscrypt and dmcrypt. When you select fscrypt it will enable/selects all needed modules itselve. Using dmcrypt you have to know what you enable for it (but there are many descriptions). In both cases I would recommend to enable all the better algorithms for newer CPUs also (if you have), e.g.: [*] AES cipher algorithms (AES-NI) - Explaination is in parentheses. Dont be afraid for applications - if any need some crypto or hash modules it will tell you
pjp wrote: | I'm thinking of starting clean and following the kernel security project / guide (I forget the name) very closely. |
The name is KSPP -> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
Since some month we have new kernel options in our Gentoo section:
Code: | Gentoo Linux --->
[*] Kernel Self Protection Project --->
[*] Enable Kernel Self Protection Project Recommendations
[*] X86_64 KSPP Settings |
(the last option depends on your system; you will see both only if some options are disabled, therefore I suggest to do first all disabling of options with KSPP Page and afterwards enabling with these Gentoo option; or you take a look into /usr/src/linux/distro/Kconfig)
At the moment it is not quite updated for 5.15.16. I have enabled these options also when I did my update from 5.10.x (default was "N"o):
Code: | CONFIG_WERROR=y
CONFIG_SYSFB_SIMPLEFB=y
CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y
CONFIG_IOMMU_DEFAULT_DMA_STRICT=y
CONFIG_ZERO_CALL_USED_REGS=y |
I think these two are needed also but I wait for more informations:
Code: | # CONFIG_SCHED_CORE is not set
# CONFIG_KFENCE is not set |
|
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Sun Jan 23, 2022 7:52 am Post subject: |
|
|
Yes. I kept thinking of the S as security, but didn't think that was correct. I went through it once before (around spectre), but it was somewhat a pain. I only implemented some of it and never made it back to evaluate some of the more strict options. 5 seems like a good time to revisit it. Fortunately 4 isn't going away any time soon.
pietinger wrote: | I dont know any. The most used (beside IPSEC) are: fscrypt and dmcrypt. When you select fscrypt it will enable/selects all needed modules itselve. Using dmcrypt you have to know what you enable for it (but there are many descriptions). In both cases I would recommend to enable all the better algorithms for newer CPUs also (if you have), e.g.: [*] AES cipher algorithms (AES-NI) - Explaination is in parentheses. Dont be afraid for applications - if any need some crypto or hash modules it will tell you ;-) | I thought maybe you recommended checking crypto before and after disabling IPv6 due to something needed being unset. I may just leave IPv6 configured and disable it during boot. Then it's at least there if I'm forced into it somehow. I try to avoid recompiling kernels if I can. The difference between my current version and latest stable of that release is negligible. If not for working through a better build process, I'd probably not bother with it.
pietinger wrote: | Since some month we have new kernel options in our Gentoo section:
Code: | Gentoo Linux --->
[*] Kernel Self Protection Project --->
[*] Enable Kernel Self Protection Project Recommendations
[*] X86_64 KSPP Settings |
(the last option depends on your system; you will see both only if some options are disabled, therefore I suggest to do first all disabling of options with KSPP Page and afterwards enabling with these Gentoo option; or you take a look into /usr/src/linux/distro/Kconfig) | Interesting. That should make it a lot easier. Although I've also been considering using a vanilla kernel. If nothing else I'd gain a greater appreciation for the Gentoo kernel team.
pietinger wrote: | At the moment it is not quite updated for 5.15.16. I have enabled these options also when I did my update from 5.10.x (default was "N"o): | Unless there's a newer LTS version by the time I'm ready, I'd be using 5.10. 5.15 EOL in 2023 doesn't seem to qualify as "L"TS. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21602
|
Posted: Sun Jan 23, 2022 5:25 pm Post subject: |
|
|
I think the cross connection between cryptography and IPv6 is that enabling IPv6 requires enabling certain kernel cryptographic features that you otherwise could disable. Thus, by disabling IPv6, you gain the option to also disable those cryptographic features. If you enable IPv6, you must include those cryptographic features, even if you have no use for them outside IPv6. If you're looking to minimize the enabled features in your kernel, whether for size concerns or to minimize attack surface, disabling IPv6 would let you disable some cryptographic features, which would be a double win. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Mon Jan 24, 2022 1:31 am Post subject: |
|
|
A good point. Some of them seem commonly used, and I preseume that support in the kernel is required for user land tools. I believe I noticed AES not enabled at some point, perhaps after disabling IPv6. Other than for common uses (ssh, tls, gpg, ...) I don't directly use encryption, so "most people should say yes / enabled by default" would be nice :). _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
figueroa Advocate
Joined: 14 Aug 2005 Posts: 2960 Location: Edge of marsh USA
|
Posted: Mon Jan 24, 2022 3:49 am Post subject: |
|
|
A diff of the full .config after disabling ipv6 and before disabling doesn't show anything dramatic or unusual. I only made the one configuration change. All the other changes were automatically included -- or more accurately excluded.
Code: | $ diff .config .config.old
885a886
> # CONFIG_XFRM_INTERFACE is not set
895a897
> CONFIG_NET_IP_TUNNEL=m
898a901
> # CONFIG_NET_FOU_IP_TUNNELS is not set
901a905
> CONFIG_INET_TUNNEL=m
907c911,928
< # CONFIG_IPV6 is not set
---
> CONFIG_IPV6=m
> # CONFIG_IPV6_ROUTER_PREF is not set
> # CONFIG_IPV6_OPTIMISTIC_DAD is not set
> # CONFIG_INET6_AH is not set
> # CONFIG_INET6_ESP is not set
> # CONFIG_INET6_IPCOMP is not set
> # CONFIG_IPV6_MIP6 is not set
> # CONFIG_IPV6_ILA is not set
> # CONFIG_IPV6_VTI is not set
> CONFIG_IPV6_SIT=m
> # CONFIG_IPV6_SIT_6RD is not set
> CONFIG_IPV6_NDISC_NODETYPE=y
> # CONFIG_IPV6_TUNNEL is not set
> # CONFIG_IPV6_MULTIPLE_TABLES is not set
> # CONFIG_IPV6_MROUTE is not set
> # CONFIG_IPV6_SEG6_LWTUNNEL is not set
> # CONFIG_IPV6_SEG6_HMAC is not set
> # CONFIG_IPV6_RPL_LWTUNNEL is not set
989a1011,1027
> #
> # IPv6: Netfilter Configuration
> #
> # CONFIG_NF_SOCKET_IPV6 is not set
> # CONFIG_NF_TPROXY_IPV6 is not set
> # CONFIG_NF_DUP_IPV6 is not set
> CONFIG_NF_REJECT_IPV6=m
> CONFIG_NF_LOG_IPV6=m
> CONFIG_IP6_NF_IPTABLES=m
> CONFIG_IP6_NF_MATCH_IPV6HEADER=m
> CONFIG_IP6_NF_FILTER=m
> CONFIG_IP6_NF_TARGET_REJECT=m
> CONFIG_IP6_NF_MANGLE=m
> # CONFIG_IP6_NF_RAW is not set
> # end of IPv6: Netfilter Configuration
>
> CONFIG_NF_DEFRAG_IPV6=y
1007a1046
> # CONFIG_6LOWPAN is not set
1157a1197
> CONFIG_DST_CACHE=y
|
_________________ Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/23.0/split-usr/desktop (stable), OpenRC, -systemd -pulseaudio -uefi |
|
Back to top |
|
|
|