Don't suggest disabling IPv6 (or make it harder)

[virtuallynathan]

IPv6 is important to the future of the Internet; suggesting users to disable it seems unwise. If it is believed to improve security, I would make this a forced option, not a suggested one.

[kristovatlas]

Thanks for the feedback. My sense is that the cost of the small number of users using this tool disabling IPv6 is much smaller than the upside to those users to decrease their attack surface by disabling IPv6. Does that make sense?

In general, it would be nice to provide context and nuance to users about these choices, but the majority of users making use of this tool are looking to secure their machine with the minimum effort necessary. Consequently, I haven't thought of a good way to do this.

One option is to tack on a section about ipv6 to the README, but I expect it would have a rather small impact. Feel free to make a PR to this end.

[ghost]

IPv6 is sure the future but it's not official yet, so I guess it would be hard to keep something that is intended for future white it's being used against users. When it's solid and secure enough, a user can simply enable it. By the way, some ISP has already deployed 4to6 and tunneling in their backbone networks, so for the time being, it's at ISP level, only.

A hint before applying the fix would be sufficient.

[eugenpirogoff]

I would like to know more about "decrease their attack surface by disabling IPv6" ?

[kristovatlas]

@eugenpirogoff you might find this interesting: https://www.ernw.de/download/ERNW_Hardening_IPv6_MacOS-X_v1_0.pdf

Also general security related to IPv6, not specific to MacOS: https://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf

http://meetings.apnic.net/__data/assets/pdf_file/0004/45589/IPv6-Security-Threats-Mitigations_Apricot_v4.pdf

[lahdekorpi]

This seems like a kind of weird thing to do in 2019...