| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 06/26/2012 08:33 PM, Francisco Blas Izquierdo Riera (klondike) wrote: |
| 5 |
> El 26/06/12 05:03, Alex Efros escribió: |
| 6 |
>> Hi! |
| 7 |
> Hi! |
| 8 |
>> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote: |
| 9 |
>>>> I'm alerting users so that you can make whatever changes you |
| 10 |
>>>> like to ipv6 in your /etc/make.conf. In about 24 hours I |
| 11 |
>>>> will turn on by default ipv6 on all hardened profiles. |
| 12 |
>>> I use ipv6 on all my servers (not that everyone does). We will |
| 13 |
>>> have to enable it eventually, sooner is probably better then |
| 14 |
>>> later I think. |
| 15 |
>> Correct me if I'm wrong, but enabling IPv6 mean needs in |
| 16 |
>> supporting two different routing tables and two different |
| 17 |
>> firewalls. |
| 18 |
> Different routing tables maybe but the firewall is still the same, |
| 19 |
> the iptables based one. And with the ipv6 USE you get it. |
| 20 |
>> Also, I suppose enabling IPv6 on any server/router with |
| 21 |
>> non-trivial IPv4 firewall rules may (and probably will!) result |
| 22 |
>> in creating new security holes until admin will develop IPv6 |
| 23 |
>> firewall rules similar to existing IPv4 firewall rules. |
| 24 |
> The use has little to nothing to see with this, the ipv6 is not a |
| 25 |
> magic use flag that necessarily works with all packages, it only |
| 26 |
> does it with those that have it. Other may just not have an option |
| 27 |
> to disable ipv6. Anyway for this to happen you must (and these are |
| 28 |
> all necessary conditions): * Have an ipv6 route from the attacker |
| 29 |
> to the affected machine * Have ipv6 enable on the kernel. * Have an |
| 30 |
> ipv6 address assigned accesible by the attacker. * Get the attacker |
| 31 |
> to know said address (since bruteforcing the address space is hard |
| 32 |
> to say the least). * Have anything listening on that address |
| 33 |
> (depending on the attack the icmpv6 server could be it but there |
| 34 |
> are other services who listen to ipv6 no matter what you do). |
| 35 |
> |
| 36 |
> If one of them doesn't hold the risk is not much more than the risk |
| 37 |
> some uncalled code can provide which is still not much. |
| 38 |
>> And I suppose just trying to duplicate existing rules as is won't |
| 39 |
>> be enough because of new IPv6-specific features, which is absent |
| 40 |
>> in IPv4, and which should be additionally blocked/enabled too. |
| 41 |
> This depends a lot on which rules you have. In general it is more |
| 42 |
> about the address block than anything else. |
| 43 |
>> If I'm right (about creating new security holes because of |
| 44 |
>> enabling ipv6 USE flag) then it may be bad idea to enable it by |
| 45 |
>> default until we'll be sure admin is ready for this (for example, |
| 46 |
>> we may check is IPv6 enabled in kernel and is there exists IPv6 |
| 47 |
>> firewall rules). |
| 48 |
> You are mostly wrong, the only issue I can think of is if you |
| 49 |
> enabled ipv6 on the kernel in which case you are probably fucked |
| 50 |
> since daemons may be listening there anyway even before the |
| 51 |
> change. |
| 52 |
>> BTW, is there exists (Gentoo?) guides/howtos which explain these |
| 53 |
>> issues (preferably from "differences from IPv4" point of view) to |
| 54 |
>> average admin who know how to setup IPv4 and know nothing about |
| 55 |
>> IPv6, and provide minimum recommended configuration for IPv6 |
| 56 |
>> routing/firewall? I think enabling IPv6 by default should begins |
| 57 |
>> from writing such docs. |
| 58 |
> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP # |
| 59 |
> ip6tables -A FORWARD -j DROP There you are safe now. |
| 60 |
> |
| 61 |
This is almost what I wrote to send to the list, but decided to wait a |
| 62 |
day and sleep on it. But mine had more pepper in it. |
| 63 |
|
| 64 |
- - Aaron |
| 65 |
|
| 66 |
- -- |
| 67 |
Mr. Aaron W. Swenson |
| 68 |
Gentoo Linux Developer |
| 69 |
Email : titanofold@g.o |
| 70 |
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0 |
| 71 |
GnuPG ID : D1BBFDA0 |
| 72 |
|
| 73 |
|
| 74 |
-----BEGIN PGP SIGNATURE----- |
| 75 |
Version: GnuPG v2.0.17 (GNU/Linux) |
| 76 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 77 |
|
| 78 |
iF4EAREIAAYFAk/rAj0ACgkQVxOqA9G7/aBlCQD7B0xh96+iVtth0QU/EZeThp9F |
| 79 |
uAiCVAj5OCRW6XgJVIcBAKIDIvU6U172nKz1UC3hUtvDdSNPZYFDysY1EpmDJqTG |
| 80 |
=ND1t |
| 81 |
-----END PGP SIGNATURE----- |
Archives