| 1 |
Hi! |
| 2 |
|
| 3 |
On Wed, Jun 27, 2012 at 02:33:49AM +0200, Francisco Blas Izquierdo Riera (klondike) wrote: |
| 4 |
> > Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two |
| 5 |
> > different routing tables and two different firewalls. |
| 6 |
> Different routing tables maybe but the firewall is still the same, the |
| 7 |
> iptables based one. And with the ipv6 USE you get it. |
| 8 |
|
| 9 |
By "two different firewalls" I mean needs in supporting two different sets |
| 10 |
of firewall rules, one for iptables and second for ip6tables. |
| 11 |
|
| 12 |
> Anyway for this to happen you must (and these are all necessary conditions): |
| 13 |
> * Have an ipv6 route from the attacker to the affected machine |
| 14 |
> * Have ipv6 enable on the kernel. |
| 15 |
> * Have an ipv6 address assigned accesible by the attacker. |
| 16 |
> * Get the attacker to know said address (since bruteforcing the address |
| 17 |
> space is hard to say the least). |
| 18 |
> * Have anything listening on that address (depending on the attack the |
| 19 |
> icmpv6 server could be it but there are other services who listen to |
| 20 |
> ipv6 no matter what you do). |
| 21 |
|
| 22 |
I've no idea how many people have IPv6 enabled in kernel unintentionally, |
| 23 |
but all other conditions in many cases will be satisfied unintentionally: |
| 24 |
* route usually exists between two machines supporting same protocol |
| 25 |
* ipv6 address may be automatically assigned by ISP by dhcp/ppp |
| 26 |
* address may be known using dns/dyndns, also bruteforcing addresses |
| 27 |
provided by same ISP isn't more complicated than bruteforcing IPv4 |
| 28 |
addresses, because ISP usually provide them in same predictable way |
| 29 |
* with ipv6 USE flag enabled many, if not most, daemons will be listening |
| 30 |
on IPv6 address without special configuration by admin |
| 31 |
|
| 32 |
I.e. if you've IPv6 enabled in kernel, and your ISP at some point will |
| 33 |
decide to provide IPv6 addresses, with default USE=ipv6 your system and |
| 34 |
services may become unintentionally accessible by IPv6. |
| 35 |
|
| 36 |
So, only real condition from your list is enable/disable IPv6 in kernel. |
| 37 |
|
| 38 |
> > BTW, is there exists (Gentoo?) guides/howtos which explain these issues |
| 39 |
> > (preferably from "differences from IPv4" point of view) to average admin |
| 40 |
> > who know how to setup IPv4 and know nothing about IPv6, and provide |
| 41 |
> > minimum recommended configuration for IPv6 routing/firewall? I think |
| 42 |
> > enabling IPv6 by default should begins from writing such docs. |
| 43 |
> # ip6tables -A INPUT -j DROP |
| 44 |
> # ip6tables -A OUTPUT -j DROP |
| 45 |
> # ip6tables -A FORWARD -j DROP |
| 46 |
> There you are safe now. |
| 47 |
|
| 48 |
Safe, but don't working. Do you enable ipv6 USE flag just to force people |
| 49 |
to either disable unintentionally enabled IPv6 in kernel and/or add this |
| 50 |
ip6tables configuration? I suppose you enable ipv6 USE flag to make it |
| 51 |
easier for people to start using IPv6. But to use IPv6 these ip6tables |
| 52 |
rules doesn't helps - we really need docs how to setup IPv6 firewall in |
| 53 |
secure way, written by people who not just read IPv6 RFCs, but understood |
| 54 |
all security implications of IPv6-specific features. Last time I tried to |
| 55 |
google for such docs was few years ago, but I found nothing at all. |
| 56 |
|
| 57 |
-- |
| 58 |
WBR, Alex. |
Archives