Mailing List Archive

On 06/25/2012 06:08 AM, Anthony G. Basile wrote:
> Hi everyone,
>
> We visited this issue during the first ipv6 global day and I asked the
> masses: do you want ipv6 on by default or not. There was lots of back
> and forth and since it was only a question of default, I left the status
> quo, which is off by default.
>
> But now the ipv6 pressures mount! Diego has made a good argument that
> deploying hardened in an ipv6 only environment is a real pita. You
> can't get the goodies you need to bootstrap into an ipv6 only
> environment. With the growth in ipv6, I think it is time.
>
> I'm alerting users so that you can make whatever changes you like to
> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
> default ipv6 on all hardened profiles.
>
>
I use ipv6 on all my servers (not that everyone does). We will have to
enable it eventually, sooner is probably better then later I think.

--
-- Matthew Thode (prometheanfire)

On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
> I use ipv6 on all my servers (not that everyone does). We will have to
> enable it eventually, sooner is probably better then later I think.

It's a default, users can still opt-out, so I don't really mind, but we
might want to keep changes on these defaults to a minimum time-wise, not? I
mean, if we now enable ipv6 default (btw, shouldn't that be on the parent
profiles instead?) and then later ldap, and then ... right next to "stage"
these changes for 6 months and do them all at once?

Wkr,
Sven Vermeulen

On 06/25/2012 09:37 AM, Sven Vermeulen wrote:
> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>> I use ipv6 on all my servers (not that everyone does). We will have to
>> enable it eventually, sooner is probably better then later I think.
>
> It's a default, users can still opt-out, so I don't really mind, but we
> might want to keep changes on these defaults to a minimum time-wise, not? I
> mean, if we now enable ipv6 default (btw, shouldn't that be on the parent
> profiles instead?) and then later ldap, and then ... right next to "stage"
> these changes for 6 months and do them all at once?
>
> Wkr,
> Sven Vermeulen
>
Ya, it probably should be on the parent profile, didn't we explicitly
disable it (or was it something else) for hardened though?

--
-- Matthew Thode (prometheanfire)

Hi!

On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
> > I'm alerting users so that you can make whatever changes you like to
> > ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
> > default ipv6 on all hardened profiles.
> I use ipv6 on all my servers (not that everyone does). We will have to
> enable it eventually, sooner is probably better then later I think.

Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
different routing tables and two different firewalls. Also, I suppose
enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
may (and probably will!) result in creating new security holes until admin
will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
And I suppose just trying to duplicate existing rules as is won't be
enough because of new IPv6-specific features, which is absent in IPv4,
and which should be additionally blocked/enabled too.

If I'm right (about creating new security holes because of enabling ipv6
USE flag) then it may be bad idea to enable it by default until we'll be
sure admin is ready for this (for example, we may check is IPv6 enabled in
kernel and is there exists IPv6 firewall rules).

BTW, is there exists (Gentoo?) guides/howtos which explain these issues
(preferably from "differences from IPv4" point of view) to average admin
who know how to setup IPv4 and know nothing about IPv6, and provide
minimum recommended configuration for IPv6 routing/firewall? I think
enabling IPv6 by default should begins from writing such docs.

--
WBR, Alex.

On 06/25/2012 10:03 PM, Alex Efros wrote:
> Hi!
>
> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>>> I'm alerting users so that you can make whatever changes you like to
>>> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
>>> default ipv6 on all hardened profiles.
>> I use ipv6 on all my servers (not that everyone does). We will have to
>> enable it eventually, sooner is probably better then later I think.
>
> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> different routing tables and two different firewalls. Also, I suppose
> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
> may (and probably will!) result in creating new security holes until admin
> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
> And I suppose just trying to duplicate existing rules as is won't be
> enough because of new IPv6-specific features, which is absent in IPv4,
> and which should be additionally blocked/enabled too.
>
> If I'm right (about creating new security holes because of enabling ipv6
> USE flag) then it may be bad idea to enable it by default until we'll be
> sure admin is ready for this (for example, we may check is IPv6 enabled in
> kernel and is there exists IPv6 firewall rules).
>
> BTW, is there exists (Gentoo?) guides/howtos which explain these issues
> (preferably from "differences from IPv4" point of view) to average admin
> who know how to setup IPv4 and know nothing about IPv6, and provide
> minimum recommended configuration for IPv6 routing/firewall? I think
> enabling IPv6 by default should begins from writing such docs.
>
You do run into these issues, I think we need to do a news thing for the
hardened profiles if we go ahead and enable it.

--
-- Matthew Thode (prometheanfire)

On 06/25/12 23:03, Alex Efros wrote:
>
> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> different routing tables and two different firewalls. Also, I suppose
> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
> may (and probably will!) result in creating new security holes until admin
> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
> And I suppose just trying to duplicate existing rules as is won't be
> enough because of new IPv6-specific features, which is absent in IPv4,
> and which should be additionally blocked/enabled too.

This is where I'm at -- being in the USA, I'll probably be long dead
before our upstream supports ipv6. I don't even know enough about ipv6
to know what I don't know, so the only safe course is to have it disabled.

It's easy enough to set USE="-ipv6" manually of course, but the same
argument works for USE="ipv6". So, I think the default should be what
most people want; i.e. what the fewest people will have to override. Do
most hardened machines use ipv6?

On Jun 25, 2012, at 10:43 PM, Michael Orlitzky <michael@orlitzky.com> wrote:

> On 06/25/12 23:03, Alex Efros wrote:
>>
>> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
>> different routing tables and two different firewalls. Also, I suppose
>> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
>> may (and probably will!) result in creating new security holes until admin
>> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
>> And I suppose just trying to duplicate existing rules as is won't be
>> enough because of new IPv6-specific features, which is absent in IPv4,
>> and which should be additionally blocked/enabled too.
>
> This is where I'm at -- being in the USA, I'll probably be long dead
> before our upstream supports ipv6. I don't even know enough about ipv6
> to know what I don't know, so the only safe course is to have it disabled.
>
> It's easy enough to set USE="-ipv6" manually of course, but the same
> argument works for USE="ipv6". So, I think the default should be what
> most people want; i.e. what the fewest people will have to override. Do
> most hardened machines use
As an end user of hardened working in a California educational institution I note that my institution doesn't yet have either firewall or router rules stabilized for ipv6 yet and don't expect them for probably another 6 months so whatever is decided it will be off on the servers I administer.
Alex makes good points about the lack of expertise in ipv6 firewalls. Having ipv6 on by default would seem to be going against the spirit of the hardened profile since it opens systems to new attack vectors created unwittingly.

Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
- no scary (j/k) ipv6 enabled by default
- ipv6 enabled in a matter of seconds without need for an internet
connection

The news item and a word about the sysctl thing in the docs would be good.

On 06/26/2012 03:38 AM, Darknight wrote:
> Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
> - no scary (j/k) ipv6 enabled by default
> - ipv6 enabled in a matter of seconds without need for an internet
> connection
>
> The news item and a word about the sysctl thing in the docs would be good.
>

Does this actually work, or does it cause half of the software compiled
with USE="ipv6" to crash?

Also, I don't think it's much easier than setting USE="-ipv6" =)

Il 26/06/2012 09:49, Michael Orlitzky ha scritto:
> On 06/26/2012 03:38 AM, Darknight wrote:
>> Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
>> - no scary (j/k) ipv6 enabled by default
>> - ipv6 enabled in a matter of seconds without need for an internet
>> connection
>>
>> The news item and a word about the sysctl thing in the docs would be good.
>>
>
> Does this actually work, or does it cause half of the software compiled
> with USE="ipv6" to crash?

I vaguely remember something quirky about those sysctl settings but no
crashes.

> Also, I don't think it's much easier than setting USE="-ipv6" =)

It's slightly different, I agree, but those that don't like ipv6 on by
default may appreciate it.

> BTW, is there exists (Gentoo?) guides/howtos which explain these issues
> (preferably from "differences from IPv4" point of view) to average admin
> who know how to setup IPv4 and know nothing about IPv6,

There was a recent presentation (not gentoo) about security issues in
ipv6 and it was extensive.

I presume the issue is having ipv6 to install so it should be enabled
why not offer an easy disable option or question to minimse the window
of opportunity, perhaps pre-emptive for net install.

Personally when disabling ipv6 I choose the module removal or
blacklisting, assuming you don't use it locally or it falls back to
ipv4.

--
________________________________________________________

Why not do something good every day and install BOINC.
________________________________________________________

El 26/06/12 05:03, Alex Efros escribió:
> Hi!
Hi!
> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>>> I'm alerting users so that you can make whatever changes you like to
>>> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
>>> default ipv6 on all hardened profiles.
>> I use ipv6 on all my servers (not that everyone does). We will have to
>> enable it eventually, sooner is probably better then later I think.
> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> different routing tables and two different firewalls.
Different routing tables maybe but the firewall is still the same, the
iptables based one. And with the ipv6 USE you get it.
> Also, I suppose
> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
> may (and probably will!) result in creating new security holes until admin
> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
The use has little to nothing to see with this, the ipv6 is not a magic
use flag that necessarily works with all packages, it only does it with
those that have it. Other may just not have an option to disable ipv6.
Anyway for this to happen you must (and these are all necessary conditions):
* Have an ipv6 route from the attacker to the affected machine
* Have ipv6 enable on the kernel.
* Have an ipv6 address assigned accesible by the attacker.
* Get the attacker to know said address (since bruteforcing the address
space is hard to say the least).
* Have anything listening on that address (depending on the attack the
icmpv6 server could be it but there are other services who listen to
ipv6 no matter what you do).

If one of them doesn't hold the risk is not much more than the risk some
uncalled code can provide which is still not much.
> And I suppose just trying to duplicate existing rules as is won't be
> enough because of new IPv6-specific features, which is absent in IPv4,
> and which should be additionally blocked/enabled too.
This depends a lot on which rules you have. In general it is more about
the address block than anything else.
> If I'm right (about creating new security holes because of enabling ipv6
> USE flag) then it may be bad idea to enable it by default until we'll be
> sure admin is ready for this (for example, we may check is IPv6 enabled in
> kernel and is there exists IPv6 firewall rules).
You are mostly wrong, the only issue I can think of is if you enabled
ipv6 on the kernel in which case you are probably fucked since daemons
may be listening there anyway even before the change.
> BTW, is there exists (Gentoo?) guides/howtos which explain these issues
> (preferably from "differences from IPv4" point of view) to average admin
> who know how to setup IPv4 and know nothing about IPv6, and provide
> minimum recommended configuration for IPv6 routing/firewall? I think
> enabling IPv6 by default should begins from writing such docs.
# ip6tables -A INPUT -j DROP
# ip6tables -A OUTPUT -j DROP
# ip6tables -A FORWARD -j DROP
There you are safe now.

El 26/06/12 07:43, Michael Orlitzky escribió:
> It's easy enough to set USE="-ipv6" manually of course, but the same
> argument works for USE="ipv6". So, I think the default should be what
> most people want; i.e. what the fewest people will have to override. Do
> most hardened machines use ipv6?
These here is a nice fallacy it is called Argumentum ad Populum and
doesn't stands. Why? Because these is about having an usable system.
If you disable ipv6 on the profiles users on ipv6 only systems can't
then use the stages since they need to fetch system to rebuild the
packages and for that they need ipv6. So, since from a functionality
point of view enabling it won't leave on an unusable system after
unpacking the stage to users of either ipv4 or dual stack systems the
USE will be on.

We are not shoving anything through people's throats anyway you can
always disable it and you probably will since you must be a really bad
hardened system administrator if you don't recheck
the default USE flags before proceeding with the installation.

El 26/06/12 08:26, Jonny Kent escribió:
>
> On Jun 25, 2012, at 10:43 PM, Michael Orlitzky <michael@orlitzky.com> wrote:
>
>> On 06/25/12 23:03, Alex Efros wrote:
>>> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
>>> different routing tables and two different firewalls. Also, I suppose
>>> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
>>> may (and probably will!) result in creating new security holes until admin
>>> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
>>> And I suppose just trying to duplicate existing rules as is won't be
>>> enough because of new IPv6-specific features, which is absent in IPv4,
>>> and which should be additionally blocked/enabled too.
>> This is where I'm at -- being in the USA, I'll probably be long dead
>> before our upstream supports ipv6. I don't even know enough about ipv6
>> to know what I don't know, so the only safe course is to have it disabled.
>>
>> It's easy enough to set USE="-ipv6" manually of course, but the same
>> argument works for USE="ipv6". So, I think the default should be what
>> most people want; i.e. what the fewest people will have to override. Do
>> most hardened machines use
> As an end user of hardened working in a California educational institution I note that my institution doesn't yet have either firewall or router rules stabilized for ipv6 yet and don't expect them for probably another 6 months so whatever is decided it will be off on the servers I administer.
> Alex makes good points about the lack of expertise in ipv6 firewalls. Having ipv6 on by default would seem to be going against the spirit of the hardened profile since it opens systems to new attack vectors created unwittingly.
I have to disagree here, the hardened spirit is way more as described in
the Project Description at http://www.gentoo.org/proj/en/hardened/
>
> Hardened Gentoo is a project which oversees the research,
> implementation, and maintenance of security oriented projects for
> Gentoo Linux. We are a team of very competent individuals dedicated to
> bring advanced security to Gentoo with a number of subprojects.
>
Since ipv6 brings new security features to its users (like larger
address spaces making port scans over the network much harder) it
doesn't make sense to complicate the life to the people wanting to use
it on a hardened system for the sake of an negligible security risks
(larger text sections on some programs). This is manily because if you
don't want ipv6 you'll not enable it on the kernel anyway since by doing
so your stack will be exposed.

El 26/06/12 09:38, Darknight escribió:
> Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
> - no scary (j/k) ipv6 enabled by default
> - ipv6 enabled in a matter of seconds without need for an internet
> connection
>
> The news item and a word about the sysctl thing in the docs would be
> good.
We'll not get a news item, the change is easily noticeable when
upgrading with emerge.

I'll send a small announcement to gentoo-user, twitt about it on the
twitter account and let it
on the chat channel topic for a while. But if you find it can be added
to any of the existing docs,
or feel like writing your own doc, don't hesitate to say so, doc writers
are needed and welcome here.

Hi!

On Wed, Jun 27, 2012 at 02:33:49AM +0200, Francisco Blas Izquierdo Riera (klondike) wrote:
> > Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> > different routing tables and two different firewalls.
> Different routing tables maybe but the firewall is still the same, the
> iptables based one. And with the ipv6 USE you get it.

By "two different firewalls" I mean needs in supporting two different sets
of firewall rules, one for iptables and second for ip6tables.

> Anyway for this to happen you must (and these are all necessary conditions):
> * Have an ipv6 route from the attacker to the affected machine
> * Have ipv6 enable on the kernel.
> * Have an ipv6 address assigned accesible by the attacker.
> * Get the attacker to know said address (since bruteforcing the address
> space is hard to say the least).
> * Have anything listening on that address (depending on the attack the
> icmpv6 server could be it but there are other services who listen to
> ipv6 no matter what you do).

I've no idea how many people have IPv6 enabled in kernel unintentionally,
but all other conditions in many cases will be satisfied unintentionally:
* route usually exists between two machines supporting same protocol
* ipv6 address may be automatically assigned by ISP by dhcp/ppp
* address may be known using dns/dyndns, also bruteforcing addresses
provided by same ISP isn't more complicated than bruteforcing IPv4
addresses, because ISP usually provide them in same predictable way
* with ipv6 USE flag enabled many, if not most, daemons will be listening
on IPv6 address without special configuration by admin

I.e. if you've IPv6 enabled in kernel, and your ISP at some point will
decide to provide IPv6 addresses, with default USE=ipv6 your system and
services may become unintentionally accessible by IPv6.

So, only real condition from your list is enable/disable IPv6 in kernel.

> > BTW, is there exists (Gentoo?) guides/howtos which explain these issues
> > (preferably from "differences from IPv4" point of view) to average admin
> > who know how to setup IPv4 and know nothing about IPv6, and provide
> > minimum recommended configuration for IPv6 routing/firewall? I think
> > enabling IPv6 by default should begins from writing such docs.
> # ip6tables -A INPUT -j DROP
> # ip6tables -A OUTPUT -j DROP
> # ip6tables -A FORWARD -j DROP
> There you are safe now.

Safe, but don't working. Do you enable ipv6 USE flag just to force people
to either disable unintentionally enabled IPv6 in kernel and/or add this
ip6tables configuration? I suppose you enable ipv6 USE flag to make it
easier for people to start using IPv6. But to use IPv6 these ip6tables
rules doesn't helps - we really need docs how to setup IPv6 firewall in
secure way, written by people who not just read IPv6 RFCs, but understood
all security implications of IPv6-specific features. Last time I tried to
google for such docs was few years ago, but I found nothing at all.

--
WBR, Alex.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 27.06.2012 09:19, Alex Efros wrote:
> Hi!
>
<SNIP>
>> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP #
>> ip6tables -A FORWARD -j DROP There you are safe now.
>
> Safe, but don't working. Do you enable ipv6 USE flag just to force
> people to either disable unintentionally enabled IPv6 in kernel
> and/or add this ip6tables configuration? I suppose you enable ipv6
> USE flag to make it easier for people to start using IPv6. But to
> use IPv6 these ip6tables rules doesn't helps - we really need docs
> how to setup IPv6 firewall in secure way, written by people who not
> just read IPv6 RFCs, but understood all security implications of
> IPv6-specific features. Last time I tried to google for such docs
> was few years ago, but I found nothing at all.
>

I think firewall-config is a mystery to many people. But you're right:
good documentation would be nice!

Concerning the ipv6-USEFLAG: Since there may be packages with no
compile-time option or packages which have one but with ebuilds that
don't use it there is only one option to be safe: disable it in your
kernelconfig.

Just thinking "No USEFLAG equals security" is simply wrong and even
adds a layer of obfuscation where you may think that you're safe while
you aren't.

I think it doesn't matter security-wise if ipv6 is enabled or disabled
by default because you have to disable it inside the kernel to be on
the safe side.

WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP6rYaAAoJEJwwOFaNFkYcwIMH/A5mNGg2EClgS4f/YTsvmuyq
vQvzcrh56/zob2Qf7OHFNvTWSXcyu70nqkuuce1qg0Je/oMsGJoewz+0xSbIoX1I
/S+dWHHCaUJQMZc+w8rhjh7Rvl3zBm32lja9bmBCLDfsbXiPXHfIpj/LIcOEEHsN
Tn2+ntkjQIE3ehMjmO/Ke7w5XuSokP4yDzmeSZ0q7soTVWCIrMU1YB+Flyx11qnl
2g1focGTQm5n8TDjopbsppM5l4jodFeWW2eaH9Fgy2J21kQEUFqammvfbI8+nI89
J/+Idvge/0s9ToKACziY6Z6XT4CnKl0+pQhDjJjl6W3wV6ZQVRZxi+e9rkzEmUo=
=O/Bt
-----END PGP SIGNATURE-----

On 06/25/2012 11:03 PM, Alex Efros wrote:
> Hi!
>
> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>>> I'm alerting users so that you can make whatever changes you like to
>>> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
>>> default ipv6 on all hardened profiles.
>> I use ipv6 on all my servers (not that everyone does). We will have to
>> enable it eventually, sooner is probably better then later I think.
>
> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> different routing tables and two different firewalls. Also, I suppose
> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
> may (and probably will!) result in creating new security holes until admin
> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
> And I suppose just trying to duplicate existing rules as is won't be
> enough because of new IPv6-specific features, which is absent in IPv4,
> and which should be additionally blocked/enabled too.
>
> If I'm right (about creating new security holes because of enabling ipv6
> USE flag) then it may be bad idea to enable it by default until we'll be
> sure admin is ready for this (for example, we may check is IPv6 enabled in
> kernel and is there exists IPv6 firewall rules).
>
> BTW, is there exists (Gentoo?) guides/howtos which explain these issues
> (preferably from "differences from IPv4" point of view) to average admin
> who know how to setup IPv4 and know nothing about IPv6, and provide
> minimum recommended configuration for IPv6 routing/firewall? I think
> enabling IPv6 by default should begins from writing such docs.
>

Please opt out. USE="-ipv6" in /etc/make.conf

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

On 06/26/2012 03:49 AM, Michael Orlitzky wrote:
> On 06/26/2012 03:38 AM, Darknight wrote:
>> Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
>> - no scary (j/k) ipv6 enabled by default
>> - ipv6 enabled in a matter of seconds without need for an internet
>> connection
>>
>> The news item and a word about the sysctl thing in the docs would be good.
>>
>
> Does this actually work, or does it cause half of the software compiled
> with USE="ipv6" to crash?
>
> Also, I don't think it's much easier than setting USE="-ipv6" =)

Those who need to bootstap out of a stage3 in an ipv6 only env need
USE="ipv6" by default. Please opt out with USE="-ipv6" if you don't
want it.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/26/2012 08:33 PM, Francisco Blas Izquierdo Riera (klondike) wrote:
> El 26/06/12 05:03, Alex Efros escribió:
>> Hi!
> Hi!
>> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>>>> I'm alerting users so that you can make whatever changes you
>>>> like to ipv6 in your /etc/make.conf. In about 24 hours I
>>>> will turn on by default ipv6 on all hardened profiles.
>>> I use ipv6 on all my servers (not that everyone does). We will
>>> have to enable it eventually, sooner is probably better then
>>> later I think.
>> Correct me if I'm wrong, but enabling IPv6 mean needs in
>> supporting two different routing tables and two different
>> firewalls.
> Different routing tables maybe but the firewall is still the same,
> the iptables based one. And with the ipv6 USE you get it.
>> Also, I suppose enabling IPv6 on any server/router with
>> non-trivial IPv4 firewall rules may (and probably will!) result
>> in creating new security holes until admin will develop IPv6
>> firewall rules similar to existing IPv4 firewall rules.
> The use has little to nothing to see with this, the ipv6 is not a
> magic use flag that necessarily works with all packages, it only
> does it with those that have it. Other may just not have an option
> to disable ipv6. Anyway for this to happen you must (and these are
> all necessary conditions): * Have an ipv6 route from the attacker
> to the affected machine * Have ipv6 enable on the kernel. * Have an
> ipv6 address assigned accesible by the attacker. * Get the attacker
> to know said address (since bruteforcing the address space is hard
> to say the least). * Have anything listening on that address
> (depending on the attack the icmpv6 server could be it but there
> are other services who listen to ipv6 no matter what you do).
>
> If one of them doesn't hold the risk is not much more than the risk
> some uncalled code can provide which is still not much.
>> And I suppose just trying to duplicate existing rules as is won't
>> be enough because of new IPv6-specific features, which is absent
>> in IPv4, and which should be additionally blocked/enabled too.
> This depends a lot on which rules you have. In general it is more
> about the address block than anything else.
>> If I'm right (about creating new security holes because of
>> enabling ipv6 USE flag) then it may be bad idea to enable it by
>> default until we'll be sure admin is ready for this (for example,
>> we may check is IPv6 enabled in kernel and is there exists IPv6
>> firewall rules).
> You are mostly wrong, the only issue I can think of is if you
> enabled ipv6 on the kernel in which case you are probably fucked
> since daemons may be listening there anyway even before the
> change.
>> BTW, is there exists (Gentoo?) guides/howtos which explain these
>> issues (preferably from "differences from IPv4" point of view) to
>> average admin who know how to setup IPv4 and know nothing about
>> IPv6, and provide minimum recommended configuration for IPv6
>> routing/firewall? I think enabling IPv6 by default should begins
>> from writing such docs.
> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP #
> ip6tables -A FORWARD -j DROP There you are safe now.
>
This is almost what I wrote to send to the list, but decided to wait a
day and sleep on it. But mine had more pepper in it.

- - Aaron

- --
Mr. Aaron W. Swenson
Gentoo Linux Developer
Email : titanofold@gentoo.org
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0
GnuPG ID : D1BBFDA0


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk/rAj0ACgkQVxOqA9G7/aBlCQD7B0xh96+iVtth0QU/EZeThp9F
uAiCVAj5OCRW6XgJVIcBAKIDIvU6U172nKz1UC3hUtvDdSNPZYFDysY1EpmDJqTG
=ND1t
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/27/2012 03:19 AM, Alex Efros wrote:
> Hi!
>
> On Wed, Jun 27, 2012 at 02:33:49AM +0200, Francisco Blas Izquierdo
> Riera (klondike) wrote:
>>> Correct me if I'm wrong, but enabling IPv6 mean needs in
>>> supporting two different routing tables and two different
>>> firewalls.
>> Different routing tables maybe but the firewall is still the
>> same, the iptables based one. And with the ipv6 USE you get it.
>
> By "two different firewalls" I mean needs in supporting two
> different sets of firewall rules, one for iptables and second for
> ip6tables.
>
>> Anyway for this to happen you must (and these are all necessary
>> conditions): * Have an ipv6 route from the attacker to the
>> affected machine * Have ipv6 enable on the kernel. * Have an ipv6
>> address assigned accesible by the attacker. * Get the attacker to
>> know said address (since bruteforcing the address space is hard
>> to say the least). * Have anything listening on that address
>> (depending on the attack the icmpv6 server could be it but there
>> are other services who listen to ipv6 no matter what you do).
>
> I've no idea how many people have IPv6 enabled in kernel
> unintentionally, but all other conditions in many cases will be
> satisfied unintentionally: * route usually exists between two
> machines supporting same protocol * ipv6 address may be
> automatically assigned by ISP by dhcp/ppp * address may be known
> using dns/dyndns, also bruteforcing addresses provided by same ISP
> isn't more complicated than bruteforcing IPv4 addresses, because
> ISP usually provide them in same predictable way * with ipv6 USE
> flag enabled many, if not most, daemons will be listening on IPv6
> address without special configuration by admin
>
> I.e. if you've IPv6 enabled in kernel, and your ISP at some point
> will decide to provide IPv6 addresses, with default USE=ipv6 your
> system and services may become unintentionally accessible by IPv6.
>
> So, only real condition from your list is enable/disable IPv6 in
> kernel.
>
>>> BTW, is there exists (Gentoo?) guides/howtos which explain
>>> these issues (preferably from "differences from IPv4" point of
>>> view) to average admin who know how to setup IPv4 and know
>>> nothing about IPv6, and provide minimum recommended
>>> configuration for IPv6 routing/firewall? I think enabling IPv6
>>> by default should begins from writing such docs.
>> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP #
>> ip6tables -A FORWARD -j DROP There you are safe now.
>
> Safe, but don't working. Do you enable ipv6 USE flag just to force
> people to either disable unintentionally enabled IPv6 in kernel
> and/or add this ip6tables configuration? I suppose you enable ipv6
> USE flag to make it easier for people to start using IPv6. But to
> use IPv6 these ip6tables rules doesn't helps - we really need docs
> how to setup IPv6 firewall in secure way, written by people who not
> just read IPv6 RFCs, but understood all security implications of
> IPv6-specific features. Last time I tried to google for such docs
> was few years ago, but I found nothing at all.
>

Those who have IPv6 enabled in the kernel unintentionally probably
aren't very security minded and probably aren't using Hardened.
They're moot. We cannot help reckless individuals.

As far as I've seen with the ip6tables, the rules are the same. They
work the same way as iptables. There's just a bit of an accent to some
rules, which is usually the appending of '6',(e.g., icmp6 instead of
icmp).

- --
Mr. Aaron W. Swenson
Gentoo Linux Developer
Email : titanofold@gentoo.org
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0
GnuPG ID : D1BBFDA0


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk/rBHwACgkQVxOqA9G7/aA8mgD/SWOUViEekO2gFkfujne+K/1v
vJNrYSXaq/qEBdmTUj4A/jPU/0lROjqprvZ7YOb+kgYAFVof7OIRs0kEZYiDyI0l
=MCdd
-----END PGP SIGNATURE-----

> Those who have IPv6 enabled in the kernel unintentionally probably
> aren't very security minded and probably aren't using Hardened.
> They're moot. We cannot help reckless individuals.

Funny how you call most of the population reckless but I guess you mean
in the context of hardened and it's probably true in terms or
computer security.

I dug out that presentation.

http://www.hackingipv6networks.com/past-trainings/hip2011-hacking-ipv6-networks.pdf

--
________________________________________________________

Why not do something good every day and install BOINC.
________________________________________________________

On 06/26/12 20:42, Francisco Blas Izquierdo Riera (klondike) wrote:
> El 26/06/12 07:43, Michael Orlitzky escribió:
>> It's easy enough to set USE="-ipv6" manually of course, but the same
>> argument works for USE="ipv6". So, I think the default should be what
>> most people want; i.e. what the fewest people will have to override. Do
>> most hardened machines use ipv6?
> These here is a nice fallacy it is called Argumentum ad Populum and
> doesn't stands. Why? Because these is about having an usable system.
> If you disable ipv6 on the profiles users on ipv6 only systems can't
> then use the stages since they need to fetch system to rebuild the
> packages and for that they need ipv6. So, since from a functionality
> point of view enabling it won't leave on an unusable system after
> unpacking the stage to users of either ipv4 or dual stack systems the
> USE will be on.

I'm not using "most people..." to support my argument; "most people
don't use ipv6" *is* my argument, so it's hardly a fallacy. The defaults
should be what cause the least amount of pain to the fewest people.

Anyway, I think I missed this earlier, and it makes the point moot: if
the hardened stages *must* be built with the default USE flags, then
ipv6 should be on. If they must, I think that's probably not ideal but
orthogonal to the current discussion.

El 27/06/12 09:19, Alex Efros escribió:
> Safe, but don't working. Do you enable ipv6 USE flag just to force people
> to either disable unintentionally enabled IPv6 in kernel and/or add this
> ip6tables configuration?
No, we do it because otherwise the stage3 is unusable on ipv6 only
environments and because people can still manually disable it.
> I suppose you enable ipv6 USE flag to make it
> easier for people to start using IPv6. But to use IPv6 these ip6tables
> rules doesn't helps - we really need docs how to setup IPv6 firewall in
> secure way, written by people who not just read IPv6 RFCs, but understood
> all security implications of IPv6-specific features. Last time I tried to
> google for such docs was few years ago, but I found nothing at all.
I couldn't indeed find a good firewall document for ipv4 so...