Charles Curley wrote:
On Sun, Jun 10, 2007 at 08:15:49PM +0530, Rahul Sundaram wrote:
Andras Simon wrote:
Right, but I think that it is relevant in a discussion about "secure
by default". (I'd be more than happy to be corrected about this.)
I can't see how it is relevant. It isn't a daemon and it doesn't connect
to the network. If you did disable it and it was turned that is indeed a
bug that not one that really affects security.
I respectfully disagree. I realize that the ipv6 kernel module is not
a daemon and does not itself connect to the network. It is part of the
kernel.
You've heard of "security by obscurity"? I prefer the opposite:
security by simplicity. I have a very simple rule of security: if it
isn't there, they can't crack it. If IPV6 is not requested, the module
should not be loaded.
Like I said if it does load when disabled it is a bug but loading such a
kernel module has very different impact on security compared to a
network daemon. Let's not dilute the discussion by comparing them in the
same breadth.
Rahul
