rock icon indicating copy to clipboard operation
rock copied to clipboard
verified publisher icon rocknsm

Should IPv6 be disabled by default in 2020?

Open vesche opened this issue 6 years ago • 3 comments

Ref:

  • https://github.com/rocknsm/rock/blob/fb15c5e981cc3e47e6f6a4461cb64384061cfca9/roles/common/tasks/configure.yml#L71
  • https://github.com/rocknsm/rock/blob/98859f66cf1dfe475a842508f5a381d63befc6d5/playbooks/templates/ifup-local.j2#L35
  • https://github.com/rocknsm/rock/blob/64d2d71f4a4f86f22c720aed76c27007d46745f0/tests/test_common.py#L27

This has been in place for as long as I can remember on ROCK and similar NSM stacks. I think the criticisms of IPv6 have been well discussed & need not reiterating. However, it's common (and increasingly so) for networks to have a non-ignorable mix of IPv4 and IPv6 traffic. The primary concern with dropping all IPv6 packets is in deployments where ROCK NSM is not inline and potentially could miss threats being sent over IPv6.

Perhaps it was justifiable when DISA STIGs were recommending, "V-38546 Medium The IPv6 protocol handler must not be bound to the network stack unless needed." This is no longer the case as these rules (like SV-25272r1_rule) were removed in 2018. In addition, the USGv6 Program has become very mature with many devices and software supporting the government standard.

Opening this issue to begin a conversation on supporting IPv6. Let me know your thoughts. Hope everyone on the ROCK squad is doing good. Best, ~Jackson

vesche avatar Apr 17 '20 05:04 vesche

Dammit, Austin. I was limbering up to knock this down, but you make some solid points.

I think that overall IPv6 isn't being used legitimately across the enterprise, but that doesn't mean it's disabled. A better approach might be to generate an "event" when IPv6 is detected (which I do see in ROCK). It's seen (IMO) more of an error in the way CentOS "disables" IPv6 than anything else.

All-in-all, fair point. Not closing for additional commentary.

peasead avatar Apr 17 '20 06:04 peasead

So, the key item from an NSM perspective is we ensure IPv6 is disabled on the monitor interface for a few reasons:

  1. I don't want communication possible with my sensor through this interface
  2. It generates packets for network discovery whether you ask it to or not

That said, it's not a hard change to run the sysctl disable only on the monitor interfaces. There is some annoyance that is installation dependent w/ things like DNS resolver pulling back IPv6 addresses and yum doesn't have an IPv6 network path to reach that server. sshd can be a pain too sometimes.

In a perfect world, I think it'd be truly great to only manage the IPv6 stack since IPv4 is a subset of the address space anyway.

In summary, I propose we disable IPv6 on the monitor interfaces and determine if there are other blockers that we run into.

dcode avatar Apr 17 '20 18:04 dcode

Both concerns listed @dcode are smartly correct, especially in a key terrain aspect. I agree there would be annoyant changes needed to support IPv6. Unfortunately, I'm not here to make a PR- just to voice a potential blind spot. Schnorrer out.

vesche avatar Apr 20 '20 06:04 vesche