[Bug 24828] Re: IPv6 should be disabled by default

Mon Apr 2 15:39:05 UTC 2007

Rémi Denis-Courmont wrote:
> First my apologies for the initial remark. I did not realize that 
> getaddrinfo() actually stopped doing AAAA if ipv6 was not loaded even 
> if AI_ADDRCONFIG was not set.

no problem :)

> 
> Answers inline.
> 
> Le lundi 2 avril 2007 06:53, Fabio Massimo Di Nitto a écrit :
>> Remi, restoring IPv6 is a matter of adding/uncommenting a line in
>> interfaces or removing the blacklist. I don't believe that it can be
>> such big source of headackes.
> 
> So, how do I deploy Ubuntu with IPv6 to a large number of PCs with 
> non-techies users?
> 
> Even if I could modify the configuration manually, how do I cope with 
> configuration files updates from Ubuntu? dpkg will not deploy new 
> versions because the configuration files changed.

/etc/network/interfaces is not considered a configuration file and no packages
owns it. So you can modify it at will.

> 
> At the very least, the ipv6 blacklist should be in a file of its own so 
> that it does not prevent upgrading the rest of the file for people 
> still using IPv6.

It is on its own blacklist file alone.

> 
> That's not only immensely impractical for "human beings", the current 
> solution provides no sane exit strategy and upgrade path, which is the 
> most basic question to answer when deploying this kind of kludge.

Well here we need to balance what are the pros and cons. Pros are a lot given
how many people are unfortunately hitted by broken hw and broken DNS
implementations. Cons is only one.. to re-enable autoconf you need to either
unblacklist ipv6 or add one line to /etc/network/interfaces.

I think the overall price is worth the benefit.

> On my system, the upgrade also had the very unkind effect of breaking 
> ip6tables completely, since IPv6 autoloading got disabled, and any sane 
> person will do firewall configuration before configuration the network 
> interfaces.

I usually load a firewall on given protocol once lo is up on that protocol for 2
reasons:

1) i can make sure the protocol is loaded
2) it is always executed before any real interface is up.

Another way to hook up a firewall script to a specific protocol is to use the
/etc/modprobe.d/ to run a script as soon as a certain module is loaded.

> 
>> What MacOS does is also not completely proper.
> 
> The MacOS X solution is far from perfect, but it is surely much less 
> worse than permanently killing IPv6 because of a few broken DNS caches.

s/caches/implementations and it's not just DNS here. As I said there is also
broken hardware around.

> 
>> I can have only
>> link-local address and use them to connect from one machine to
>> another with proper entries in the DNS. 
> 
> Any applications, with the possible exception of ping6, will 
> return "Invalid argument" error because the DNS resolver cannot 
> guess/set the scope ID in the IPv6 socket address structure. Futhermore 
> many applications cannot deal with link-local anyway because they do 
> not preserve the scope ID even if it's set.
> 
> On top of that, putting link-local in the DNS is against documented 
> standard practices.

It appears somebody is using it this way and it was brought up as use case.
I will check this up again.

Fabio

PS I don't exclude that the use case was based on personally developed
application that we cannot exclude to exist.

-- 
I'm going to make him an offer he can't refuse.

-- 
IPv6 should be disabled by default
https://bugs.launchpad.net/bugs/24828
You received this bug notification because you are a member of Kernel
Bugs, which is a subscriber of a duplicate bug.