1 |
Hi! |
2 |
|
3 |
On Wed, Jun 27, 2012 at 02:33:49AM +0200, Francisco Blas Izquierdo Riera (klondike) wrote: |
4 |
> > Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two |
5 |
> > different routing tables and two different firewalls. |
6 |
> Different routing tables maybe but the firewall is still the same, the |
7 |
> iptables based one. And with the ipv6 USE you get it. |
8 |
|
9 |
By "two different firewalls" I mean needs in supporting two different sets |
10 |
of firewall rules, one for iptables and second for ip6tables. |
11 |
|
12 |
> Anyway for this to happen you must (and these are all necessary conditions): |
13 |
> * Have an ipv6 route from the attacker to the affected machine |
14 |
> * Have ipv6 enable on the kernel. |
15 |
> * Have an ipv6 address assigned accesible by the attacker. |
16 |
> * Get the attacker to know said address (since bruteforcing the address |
17 |
> space is hard to say the least). |
18 |
> * Have anything listening on that address (depending on the attack the |
19 |
> icmpv6 server could be it but there are other services who listen to |
20 |
> ipv6 no matter what you do). |
21 |
|
22 |
I've no idea how many people have IPv6 enabled in kernel unintentionally, |
23 |
but all other conditions in many cases will be satisfied unintentionally: |
24 |
* route usually exists between two machines supporting same protocol |
25 |
* ipv6 address may be automatically assigned by ISP by dhcp/ppp |
26 |
* address may be known using dns/dyndns, also bruteforcing addresses |
27 |
provided by same ISP isn't more complicated than bruteforcing IPv4 |
28 |
addresses, because ISP usually provide them in same predictable way |
29 |
* with ipv6 USE flag enabled many, if not most, daemons will be listening |
30 |
on IPv6 address without special configuration by admin |
31 |
|
32 |
I.e. if you've IPv6 enabled in kernel, and your ISP at some point will |
33 |
decide to provide IPv6 addresses, with default USE=ipv6 your system and |
34 |
services may become unintentionally accessible by IPv6. |
35 |
|
36 |
So, only real condition from your list is enable/disable IPv6 in kernel. |
37 |
|
38 |
> > BTW, is there exists (Gentoo?) guides/howtos which explain these issues |
39 |
> > (preferably from "differences from IPv4" point of view) to average admin |
40 |
> > who know how to setup IPv4 and know nothing about IPv6, and provide |
41 |
> > minimum recommended configuration for IPv6 routing/firewall? I think |
42 |
> > enabling IPv6 by default should begins from writing such docs. |
43 |
> # ip6tables -A INPUT -j DROP |
44 |
> # ip6tables -A OUTPUT -j DROP |
45 |
> # ip6tables -A FORWARD -j DROP |
46 |
> There you are safe now. |
47 |
|
48 |
Safe, but don't working. Do you enable ipv6 USE flag just to force people |
49 |
to either disable unintentionally enabled IPv6 in kernel and/or add this |
50 |
ip6tables configuration? I suppose you enable ipv6 USE flag to make it |
51 |
easier for people to start using IPv6. But to use IPv6 these ip6tables |
52 |
rules doesn't helps - we really need docs how to setup IPv6 firewall in |
53 |
secure way, written by people who not just read IPv6 RFCs, but understood |
54 |
all security implications of IPv6-specific features. Last time I tried to |
55 |
google for such docs was few years ago, but I found nothing at all. |
56 |
|
57 |
-- |
58 |
WBR, Alex. |