1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA256 |
3 |
|
4 |
On 06/27/2012 03:19 AM, Alex Efros wrote: |
5 |
> Hi! |
6 |
> |
7 |
> On Wed, Jun 27, 2012 at 02:33:49AM +0200, Francisco Blas Izquierdo |
8 |
> Riera (klondike) wrote: |
9 |
>>> Correct me if I'm wrong, but enabling IPv6 mean needs in |
10 |
>>> supporting two different routing tables and two different |
11 |
>>> firewalls. |
12 |
>> Different routing tables maybe but the firewall is still the |
13 |
>> same, the iptables based one. And with the ipv6 USE you get it. |
14 |
> |
15 |
> By "two different firewalls" I mean needs in supporting two |
16 |
> different sets of firewall rules, one for iptables and second for |
17 |
> ip6tables. |
18 |
> |
19 |
>> Anyway for this to happen you must (and these are all necessary |
20 |
>> conditions): * Have an ipv6 route from the attacker to the |
21 |
>> affected machine * Have ipv6 enable on the kernel. * Have an ipv6 |
22 |
>> address assigned accesible by the attacker. * Get the attacker to |
23 |
>> know said address (since bruteforcing the address space is hard |
24 |
>> to say the least). * Have anything listening on that address |
25 |
>> (depending on the attack the icmpv6 server could be it but there |
26 |
>> are other services who listen to ipv6 no matter what you do). |
27 |
> |
28 |
> I've no idea how many people have IPv6 enabled in kernel |
29 |
> unintentionally, but all other conditions in many cases will be |
30 |
> satisfied unintentionally: * route usually exists between two |
31 |
> machines supporting same protocol * ipv6 address may be |
32 |
> automatically assigned by ISP by dhcp/ppp * address may be known |
33 |
> using dns/dyndns, also bruteforcing addresses provided by same ISP |
34 |
> isn't more complicated than bruteforcing IPv4 addresses, because |
35 |
> ISP usually provide them in same predictable way * with ipv6 USE |
36 |
> flag enabled many, if not most, daemons will be listening on IPv6 |
37 |
> address without special configuration by admin |
38 |
> |
39 |
> I.e. if you've IPv6 enabled in kernel, and your ISP at some point |
40 |
> will decide to provide IPv6 addresses, with default USE=ipv6 your |
41 |
> system and services may become unintentionally accessible by IPv6. |
42 |
> |
43 |
> So, only real condition from your list is enable/disable IPv6 in |
44 |
> kernel. |
45 |
> |
46 |
>>> BTW, is there exists (Gentoo?) guides/howtos which explain |
47 |
>>> these issues (preferably from "differences from IPv4" point of |
48 |
>>> view) to average admin who know how to setup IPv4 and know |
49 |
>>> nothing about IPv6, and provide minimum recommended |
50 |
>>> configuration for IPv6 routing/firewall? I think enabling IPv6 |
51 |
>>> by default should begins from writing such docs. |
52 |
>> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP # |
53 |
>> ip6tables -A FORWARD -j DROP There you are safe now. |
54 |
> |
55 |
> Safe, but don't working. Do you enable ipv6 USE flag just to force |
56 |
> people to either disable unintentionally enabled IPv6 in kernel |
57 |
> and/or add this ip6tables configuration? I suppose you enable ipv6 |
58 |
> USE flag to make it easier for people to start using IPv6. But to |
59 |
> use IPv6 these ip6tables rules doesn't helps - we really need docs |
60 |
> how to setup IPv6 firewall in secure way, written by people who not |
61 |
> just read IPv6 RFCs, but understood all security implications of |
62 |
> IPv6-specific features. Last time I tried to google for such docs |
63 |
> was few years ago, but I found nothing at all. |
64 |
> |
65 |
|
66 |
Those who have IPv6 enabled in the kernel unintentionally probably |
67 |
aren't very security minded and probably aren't using Hardened. |
68 |
They're moot. We cannot help reckless individuals. |
69 |
|
70 |
As far as I've seen with the ip6tables, the rules are the same. They |
71 |
work the same way as iptables. There's just a bit of an accent to some |
72 |
rules, which is usually the appending of '6',(e.g., icmp6 instead of |
73 |
icmp). |
74 |
|
75 |
- -- |
76 |
Mr. Aaron W. Swenson |
77 |
Gentoo Linux Developer |
78 |
Email : titanofold@g.o |
79 |
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0 |
80 |
GnuPG ID : D1BBFDA0 |
81 |
|
82 |
|
83 |
-----BEGIN PGP SIGNATURE----- |
84 |
Version: GnuPG v2.0.17 (GNU/Linux) |
85 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
86 |
|
87 |
iF4EAREIAAYFAk/rBHwACgkQVxOqA9G7/aA8mgD/SWOUViEekO2gFkfujne+K/1v |
88 |
vJNrYSXaq/qEBdmTUj4A/jPU/0lROjqprvZ7YOb+kgYAFVof7OIRs0kEZYiDyI0l |
89 |
=MCdd |
90 |
-----END PGP SIGNATURE----- |