| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA256 |
| 3 |
|
| 4 |
On 06/27/2012 03:19 AM, Alex Efros wrote: |
| 5 |
> Hi! |
| 6 |
> |
| 7 |
> On Wed, Jun 27, 2012 at 02:33:49AM +0200, Francisco Blas Izquierdo |
| 8 |
> Riera (klondike) wrote: |
| 9 |
>>> Correct me if I'm wrong, but enabling IPv6 mean needs in |
| 10 |
>>> supporting two different routing tables and two different |
| 11 |
>>> firewalls. |
| 12 |
>> Different routing tables maybe but the firewall is still the |
| 13 |
>> same, the iptables based one. And with the ipv6 USE you get it. |
| 14 |
> |
| 15 |
> By "two different firewalls" I mean needs in supporting two |
| 16 |
> different sets of firewall rules, one for iptables and second for |
| 17 |
> ip6tables. |
| 18 |
> |
| 19 |
>> Anyway for this to happen you must (and these are all necessary |
| 20 |
>> conditions): * Have an ipv6 route from the attacker to the |
| 21 |
>> affected machine * Have ipv6 enable on the kernel. * Have an ipv6 |
| 22 |
>> address assigned accesible by the attacker. * Get the attacker to |
| 23 |
>> know said address (since bruteforcing the address space is hard |
| 24 |
>> to say the least). * Have anything listening on that address |
| 25 |
>> (depending on the attack the icmpv6 server could be it but there |
| 26 |
>> are other services who listen to ipv6 no matter what you do). |
| 27 |
> |
| 28 |
> I've no idea how many people have IPv6 enabled in kernel |
| 29 |
> unintentionally, but all other conditions in many cases will be |
| 30 |
> satisfied unintentionally: * route usually exists between two |
| 31 |
> machines supporting same protocol * ipv6 address may be |
| 32 |
> automatically assigned by ISP by dhcp/ppp * address may be known |
| 33 |
> using dns/dyndns, also bruteforcing addresses provided by same ISP |
| 34 |
> isn't more complicated than bruteforcing IPv4 addresses, because |
| 35 |
> ISP usually provide them in same predictable way * with ipv6 USE |
| 36 |
> flag enabled many, if not most, daemons will be listening on IPv6 |
| 37 |
> address without special configuration by admin |
| 38 |
> |
| 39 |
> I.e. if you've IPv6 enabled in kernel, and your ISP at some point |
| 40 |
> will decide to provide IPv6 addresses, with default USE=ipv6 your |
| 41 |
> system and services may become unintentionally accessible by IPv6. |
| 42 |
> |
| 43 |
> So, only real condition from your list is enable/disable IPv6 in |
| 44 |
> kernel. |
| 45 |
> |
| 46 |
>>> BTW, is there exists (Gentoo?) guides/howtos which explain |
| 47 |
>>> these issues (preferably from "differences from IPv4" point of |
| 48 |
>>> view) to average admin who know how to setup IPv4 and know |
| 49 |
>>> nothing about IPv6, and provide minimum recommended |
| 50 |
>>> configuration for IPv6 routing/firewall? I think enabling IPv6 |
| 51 |
>>> by default should begins from writing such docs. |
| 52 |
>> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP # |
| 53 |
>> ip6tables -A FORWARD -j DROP There you are safe now. |
| 54 |
> |
| 55 |
> Safe, but don't working. Do you enable ipv6 USE flag just to force |
| 56 |
> people to either disable unintentionally enabled IPv6 in kernel |
| 57 |
> and/or add this ip6tables configuration? I suppose you enable ipv6 |
| 58 |
> USE flag to make it easier for people to start using IPv6. But to |
| 59 |
> use IPv6 these ip6tables rules doesn't helps - we really need docs |
| 60 |
> how to setup IPv6 firewall in secure way, written by people who not |
| 61 |
> just read IPv6 RFCs, but understood all security implications of |
| 62 |
> IPv6-specific features. Last time I tried to google for such docs |
| 63 |
> was few years ago, but I found nothing at all. |
| 64 |
> |
| 65 |
|
| 66 |
Those who have IPv6 enabled in the kernel unintentionally probably |
| 67 |
aren't very security minded and probably aren't using Hardened. |
| 68 |
They're moot. We cannot help reckless individuals. |
| 69 |
|
| 70 |
As far as I've seen with the ip6tables, the rules are the same. They |
| 71 |
work the same way as iptables. There's just a bit of an accent to some |
| 72 |
rules, which is usually the appending of '6',(e.g., icmp6 instead of |
| 73 |
icmp). |
| 74 |
|
| 75 |
- -- |
| 76 |
Mr. Aaron W. Swenson |
| 77 |
Gentoo Linux Developer |
| 78 |
Email : titanofold@g.o |
| 79 |
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0 |
| 80 |
GnuPG ID : D1BBFDA0 |
| 81 |
|
| 82 |
|
| 83 |
-----BEGIN PGP SIGNATURE----- |
| 84 |
Version: GnuPG v2.0.17 (GNU/Linux) |
| 85 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 86 |
|
| 87 |
iF4EAREIAAYFAk/rBHwACgkQVxOqA9G7/aA8mgD/SWOUViEekO2gFkfujne+K/1v |
| 88 |
vJNrYSXaq/qEBdmTUj4A/jPU/0lROjqprvZ7YOb+kgYAFVof7OIRs0kEZYiDyI0l |
| 89 |
=MCdd |
| 90 |
-----END PGP SIGNATURE----- |
Archives