What is Netgate's stance on kernel modules vs monolithic kernels today?



  • Re: Disable IPv6

    In the referenced thread above it was mentioned that ipv6 was compiled into the kernel instead of added as a module. I'm curious if the position on using modules has changed since storage and memory resources aren't as constrained as they once were (I assume this was the reason that choice was made).

    Strictly from a security viewpoint (Least privilege / Zero Trust), removing (not "disabling") ipv6 would help limit the attack surface. Implementation bugs continue to be discovered and exploited and the quickest and most efficient way to protect against this is with complete removal of unneeded code. The ability to disable modules is a great vector for this. It is also helpful for zero days -- while the BSD and Netgate developers rush in their development cycles to push out a fix, the userbase wiould be a better position to immediately disable the exploitable code.

    More pragmatically, at least for ipv6, it would mean less firewall rules, less traffic through services like Suricata, and better network metrics while removing all the noise and overhead that exists there now. This all aligns with the KISS (Keep It Simple Stupid) principle. There are also efficiency bonuses -- while storage and memory resources are more plentiful, processing today's number of packets continues to be a resource constraint (at least for all the netgate gear I have). There are also efficiency bonuses for down-stream servers like SIEMs which comsumes and stores this log and metric data for query and archival reasons.


Log in to reply