FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 02-15-2011, 03:57 PM
David Sommerseth
 
Default Adding ipv6 USE flag by default

On 15/02/11 16:52, Alex Efros wrote:
[...snip...]
>
> Keeping this in mind, I think it have sense to avoid enabling IPv6 by
> default on hardened until IPv6 will be wide used/tested/hacked on
> non-hardened systems for some time or until it become critical feature
> required for normal operation on most servers.

IMHO, this logic doesn't really make sense. This is a backwards attitude.
IPv6 will come for sure, we *need* to implement it. Not enabling it now,
will just postpone these security issues further. It's better to flush out
those security issues ASAP before even more people uses it.

Also consider that most distributions (including
RHEL/CentOS/ScientificLinux 5 - with 2.6.18 based kernels) ships with IPv6
enabled. In addition security issues gets found and fixed quicker with
broader usages. In most distros security fixes gets included rather
quickly, even into the upstream kernels and applications, no matter IPv4 or
IPv6.

[...snip...]
> P.S. BTW, enabling "ipv6" USE-flag isn't enough. Using dual-stack on
> secure server also mean doubling nearly all network configuration,
> including firewall setup. And while it's well-known how to securely setup
> network for IPv4, it still doesn't clear how to do same for IPv6 - both
> because IPv6 is much more complex and feature-rich, and because there not
> much information/howto available for IPv6 right now.

This is much more fear of something new. IPv6 is a different protocol, but
when using it, it behaves very much the same as IPv4. You just need to use
ip6tables instead of iptables to do filtering, and the addresses look
differently.

For those really not ready to dive into the IPv6 world yet, they should
rather compile their kernel without IPv6 support or blacklist the ipv6
kernel module. Then, no IPv6 traffic will be tackled. And all the user
space can still be IPv6 enabled.

> So, I think it have
> sense to prepare some documentation about IPv6-related configuration on
> gentoo site and notify users with `eselect news` mechanism about it before
> enabling default "ipv6" USE-flag in any profile.

Documentation is *always* a good thing. So improving documentation related
to IPv6 is not a bad thing.

<rant>
But the fact is, which many have not understood: IPv6 simplifies networks
much more than complicates it.

- There is no netowork address (like 192.168.0.0 for 192.168.0.0/24)

- There is no broadcast address (like 192.168.0.255)

- There is no 127.0.0.0/8 localhost subnet - only ::1

- There is no NAT - only public IP addresses - which needs to be filtered

- Automatic stateless and stateful configuration (if using radvd or DHCPv6)

- Manual IPv6 is still an option for those wanting that

- Subnetting a /48 or /56 subnet is very easy.
{your IPv6 prefix}:{your subnet address} - which gives you a /64 subnet
for your network zone ... and you basically don't need to think about
any other network masks. A /48 subnet gives you 0000 to FFFF as valid
subnet addresses after your IPv6 prefix from your ISP. A /56 subnet
gives 00 to FF as valid subnet address. And just think about it ... /48
leaves space for 16 bits for subnetting, so 48 + 16 = 64, hence /64.
And the same for 56 + 8 = 64. There is really no big magic. 8 bits
gives you values 00-FF, 16 bits gives you 0000-FFFF. And the ISP prefix
defines your IPv6 address scope. You can do whatever you'd like with
that.

The only tricky thing is that you need to enable some ICMPv6 traffic on
your internal networks. But if you just open up for all ICMPv6 on internal
interfaces, you're practically good to go.

Routing is exactly the same as on IPv4. You need to either use 'ip -6
route' or 'route -6' so modify the IPv6 routing table.

So the biggest difference, is basically the new addressing scheme, with 128
bits available instead of 32bits. That's all, from the users perspective.

What probably should be done is to enable a default IPv6 iptables config
which is loaded by default ... which just sets default policy to DROP on
INPUT, FORWARD and OUTPUT ... that way, users need to modify the ip6tables
rules to gain access. That way we won't take anyone by surprise.

This is really not rocket science! Even though it might feel so in the
beginning. But take of your IPv4 hat, and accept that IPv6 is simpler to
setup - and you'll get far very quickly.
</rant>


But my core message is, enable IPv6 in all packages asap. Blocking IPv6
should not be done on application level. That should happen on the kernel
level.


kind regards,

David Sommerseth
 
Old 02-15-2011, 06:12 PM
Chris Frederick
 
Default Adding ipv6 USE flag by default

On 02/09/11 21:09, Anthony G. Basile wrote:
> Hi everyone,
>
> Jan Kundrat asked on gentoo-dev why hardened removes ipv6 from its
> profiles. To be honest, I see no good reason. I want to add it back.
> Before I do, does anyone in the community know of any issues with
> hardened + ipv6? I don't know of any and all my servers have it
> enables. So, I'm going to add it back in about 1 week.

Hi everyone,

I'll chime in on this one. I want to clarify what is being asked, and add my two cents.

If you're asking if there are any issues with enabling the ipv6 use flag on the hardened profile, then I haven't run into any. All packages
that I've used have compiled and worked as expected. If you're asking if there are any security issues with ipv6 that would effect the hardened
profile, then I would have to say yes. The hardened profile is intended to be a security focused profile, and adding ipv6 on by default would
cause many issues with unprepared users.

Considering that ipv6 is auto-configured by default, and a rouge system can attach itself to a network as a ipv6 router, this is a major concern
for users that are unfamiliar with the protocol. Now add that several common packages install with the default configurations of listen on
every interface, and the Netfilter firewall separates ipv4/ipv6 with iptables and ip6tables with ip6tables default ALLOW policy, an unprepared
user could find their network completely unprotected.

A really good example of this is dev-db/mysql, which can be configured to listen on a single address, or all addresses. If database access is
needed from a remote system, there's a good chance that it is configured to listen on all addresses. If you enable ipv6, you may end up adding
three or more addresses to the mix for link (fe80::/10), local (fc00::/7), and global scopes. If you want to run dual stack with your current
ipv4 address plus a fc00::/7 address then you have to listen on all and rely on database/firewall ACLs for protection. In my opinion this shows
that dev-db/mysql simply isn't ipv6 ready. Now there are many other packages that work very well with binding to specific addresses, but a lot
of those are documented to encourage the use of the "listen on all" mentality, and most will default to this mode.

I think the current default of turning the ipv6 use flag off is best. It's not disabled, it's just off. It will need to be defaulted on at
some point, but I don't think we are there yet. If a user wants to "brave the ipv6 waters" then let them, there's a lot to learn. I would
recommend paging through some of the on-line documentation (HOWTOs and wiki at least) and see if we could add some better configuration
examples, or advice for those using dual stack setups, before ipv6 is defaulted on.

That's my thoughts on it.

Chris
 
Old 02-15-2011, 08:47 PM
klondike
 
Default Adding ipv6 USE flag by default

El 15/02/11 16:52, Alex Efros escribiˇ:
> Hi!Quick Google and CVE searches shows there was many enough vulnerabilities
> in all OSes (including Linux) IPv6 stack implementations. And, as we all
> know, most of vulnerabilities will be found only after product become
> popular and wide used, which doesn't happens to IPv6 yet.
/me looks:
"Summary: The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux
kernel before 2.6.32.4, when network namespaces are enabled, allows
remote attackers to cause a denial of service (NULL pointer dereference)
via an invalid IPv6 jumbogram, a related issue to CVE-2007-4567."
Hardened kernels with UDEREF aren't vulnerable, also it was more than a
year ago.

"The selinux_parse_skb_ipv6 function in security/selinux/hooks.c in the
Linux kernel before 2.6.12-rc4 allows remote attackers to cause a denial
of service (OOPS) via vectors associated with an incorrect call to the
ipv6_skip_exthdr function."
"The ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux
kernel before 2.6.27 does not properly handle certain circumstances
involving an IPv6 TUN network interface and a large number of neighbors,
which allows attackers to cause a denial of service (NULL pointer
dereference and OOPS) or possibly have unspecified other impact via
unknown vectors."
"Use-after-free vulnerability in net/ipv4/tcp_input.c in the Linux
kernel 2.6 before 2.6.20, when IPV6_RECVPKTINFO is set on a listening
socket, allows remote attackers to cause a denial of service (kernel
panic) via a SYN packet while the socket is in a listening (TCP_LISTEN)
state, which is not properly handled and causes the skb structure to be
freed."
Old kernels
"The mipv6 daemon in UMIP 0.4 does not verify that netlink messages
originated in the kernel, which allows local users to spoof netlink
socket communication via a crafted unicast message."
Not even linux.

On apps:
"Summary: The DHCPv6 server in ISC DHCP 4.0.x and 4.1.x before 4.1.2-P1,
4.0-ESV and 4.1-ESV before 4.1-ESV-R1, and 4.2.x before 4.2.1b1 allows
remote attackers to cause a denial of service (assertion failure and
daemon crash) by sending a message over IPv6 for a declined and
abandoned address."
A DOS due to an assertion, bad but not SO bad. Anyway I doubt any
security focused person will use DHCP if avoidable.

"Summary: dns_internal.cc in Squid 3.1.6, when IPv6 DNS resolution is
not enabled, accesses an invalid socket during an IPv4 TCP DNS query,
which allows remote attackers to cause a denial of service (assertion
failure and daemon exit) via vectors that trigger an IPv4 DNS response
with the TC bit set." Bad yet not SO bad too, another DOS.

Seriously I don't see any serious sec problem for hardened users in
there which can't be solved by just not allowing ipv6 traffic/disabling
the ipv6 stack from the kernel.
Other than that I agree, the main difference I found is the lack of some
sort of NAT to hide addresses but other than that ipv6 is not that
different of ipv4 with a few extensions which are also there for ipv4.
 
Old 02-19-2011, 04:02 PM
"Anthony G. Basile"
 
Default Adding ipv6 USE flag by default

On 02/15/2011 02:12 PM, Chris Frederick wrote:
> Hi everyone,
>
> I'll chime in on this one. I want to clarify what is being asked, and add my two cents.

Okay, I don't think there was a consensus on this issue, so I'm sure to
make someone unhappy. I think for now, we'll leave the status quo, ie
ipv6 off by default.

If it had been a question of whether or not ipv6 would be included in
hardened, then the issue would have been obvious. We must have ipv6.
But the question was, do we enable or disable it *by default*. Those
that wish can always switch it on so nothing is ultimately lost.

The question came up because of the latest news about ipv4 address space
being depleted, so we know ipv6 is coming. When ipv6 use becomes
significant, we'll revisit the issue.

(And please don't ask me what significant mean! I'm not even sure myself

--
Anthony G. Basile, Ph.D.
Gentoo Developer
 
Old 02-20-2011, 11:23 PM
"Aaron W. Swenson"
 
Default Adding ipv6 USE flag by default

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/19/2011 12:02 PM, Anthony G. Basile wrote:
> On 02/15/2011 02:12 PM, Chris Frederick wrote:
>> Hi everyone,
>>
>> I'll chime in on this one. I want to clarify what is being asked, and add my two cents.
>
> Okay, I don't think there was a consensus on this issue, so I'm sure to
> make someone unhappy. I think for now, we'll leave the status quo, ie
> ipv6 off by default.
>
> If it had been a question of whether or not ipv6 would be included in
> hardened, then the issue would have been obvious. We must have ipv6.
> But the question was, do we enable or disable it *by default*. Those
> that wish can always switch it on so nothing is ultimately lost.
>
> The question came up because of the latest news about ipv4 address space
> being depleted, so we know ipv6 is coming. When ipv6 use becomes
> significant, we'll revisit the issue.
>
> (And please don't ask me what significant mean! I'm not even sure myself
>

How about we shoot for World IPv6 Day? [1] Since everyone else will be
doing their test runs that day I think we should, too.

Additionally, amongst all the shouting of insecurity, the potential for
the improved security offered by IPv6 has been ignored, such as IPsec.
[2] The specification for 'link-local' (fe80::/16) pretty much behaves
in the same manner as 192.168.0.0/16 and 10.0.0.0/8 because of its built
in Hop Limit restriction and requirement that routers never forward an
fe80::/16 packet. [3] Additionally, the potential for improved
performance through jumbograms [4] and PMTU Discovery. [5] Not to
mention reduced hardware requirements to calculate checksums, which are
no longer necessary.

As some have pointed out, all that's really required to disable IPv6
support is to just not include the IPv6 stack in the kernel. Somebody
accidentally including it is unlikely for business production, so I
don't understand the concern there. (And those who aren't so security
conscious probably aren't running servers anyway.) Additionally, the
greater percentage of people who have Internet access must still wait
for the support to come or have to specifically request IPv6 support.
(My ISP, Verizon, has only now really begun working on offering IPv6 and
they say it'll take 18 months to implement.) Finally, the primary
Internet router must support IPv6. There's a lot of intentional setup
that goes into making IPv6 not only work but be viable on a network. A
simple flip of a USE flag isn't going to magically turn everything on
its ear and expose everyone to great risk.

Lastly, let's not forget the fact that a good portion of the stable
software packages available in the Portage tree, and run by a good
portion of the Gentoo user base, already incorporate IPv6 support with
no means other than less than trivial modifications of the source code
to disable it. (e.g., PostgreSQL, Apache and Firefox) Optional support
of IPv6 is rapidly disappearing from the tree as it is anyway. We might
as well expect it to come regardless of our wishes for a different time
frame. Indeed, it is here already in some of the more important and
popular packages.

Sincerely,
Mr. Aaron W. Swenson

[1] http://isoc.org/wp/worldipv6day/
[2] http://tools.ietf.org/html/rfc2460
[3] http://tools.ietf.org/html/rfc4291#section-2.5.6
[4] http://tools.ietf.org/html/rfc2675
[5] http://tools.ietf.org/html/rfc1981
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk1hsGUACgkQCOhwUhu5AEmiIgD+Nx1EGin9Xd ej0ELMue7Jwqg9
H47cjKCGZnbI3dQmmP8A/jEp9q313ESxEk0cuo1WwfkJDoi4h6lbi4aKwpcq8LRx
=NxgI
-----END PGP SIGNATURE-----
 
Old 02-21-2011, 05:34 PM
 
Default Adding ipv6 USE flag by default

On Sat, Feb 19, 2011 at 12:02:20PM -0500, Anthony G. Basile wrote:
| On 02/15/2011 02:12 PM, Chris Frederick wrote:
| > Hi everyone,
| >
| > I'll chime in on this one. I want to clarify what is being asked, and add my two cents.
|
| Okay, I don't think there was a consensus on this issue, so I'm sure to
| make someone unhappy. I think for now, we'll leave the status quo, ie
| ipv6 off by default.

Here's an issue I've found with ipv6, and not necessarily hardened: upsd
fails to start if it can't autoload net-pf-10. Since in hardened we
have the ability to disable module autoloading and I've used that to
prevent my apps from emitting ipv6 I wasn't yet in control of, it was
definitely an edge case hardened helped find. That particular app
(sys-power/nut) doesn't even have an ipv6 USE flag.
 
Old 02-21-2011, 05:49 PM
"T├│th Attila"
 
Default Adding ipv6 USE flag by default

I've been running nut & upsd without ipv6 (either in kernel or userland)
for ages on Hardened x86.

Regards:
Dw.
--
dr T├│th Attila, Radiol├│gus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2011.Febru├ír 21.(H) 19:34 id┼Ĺpontban schism@subverted.org ezt ├*rta:
> On Sat, Feb 19, 2011 at 12:02:20PM -0500, Anthony G. Basile wrote:
> | On 02/15/2011 02:12 PM, Chris Frederick wrote:
> | > Hi everyone,
> | >
> | > I'll chime in on this one. I want to clarify what is being asked, and
> add my two cents.
> |
> | Okay, I don't think there was a consensus on this issue, so I'm sure to
> | make someone unhappy. I think for now, we'll leave the status quo, ie
> | ipv6 off by default.
>
> Here's an issue I've found with ipv6, and not necessarily hardened: upsd
> fails to start if it can't autoload net-pf-10. Since in hardened we
> have the ability to disable module autoloading and I've used that to
> prevent my apps from emitting ipv6 I wasn't yet in control of, it was
> definitely an edge case hardened helped find. That particular app
> (sys-power/nut) doesn't even have an ipv6 USE flag.
>
 
Old 02-21-2011, 07:34 PM
Thomas Sachau
 
Default Adding ipv6 USE flag by default

Am 21.02.2011 01:23, schrieb Aaron W. Swenson:
> On 02/19/2011 12:02 PM, Anthony G. Basile wrote:
>> On 02/15/2011 02:12 PM, Chris Frederick wrote:
>>> Hi everyone,
>>>
>>> I'll chime in on this one. I want to clarify what is being asked, and add my two cents.
>
>> Okay, I don't think there was a consensus on this issue, so I'm sure to
>> make someone unhappy. I think for now, we'll leave the status quo, ie
>> ipv6 off by default.
>
>> If it had been a question of whether or not ipv6 would be included in
>> hardened, then the issue would have been obvious. We must have ipv6.
>> But the question was, do we enable or disable it *by default*. Those
>> that wish can always switch it on so nothing is ultimately lost.
>
>> The question came up because of the latest news about ipv4 address space
>> being depleted, so we know ipv6 is coming. When ipv6 use becomes
>> significant, we'll revisit the issue.
>
>> (And please don't ask me what significant mean! I'm not even sure myself
>
>
> How about we shoot for World IPv6 Day? [1] Since everyone else will be
> doing their test runs that day I think we should, too.
> <snip>

I suggest, you respect the decision of the hardened team and stop arguing against it after the
decision was made. The ipv6 USE flag and only the USE flag is not by default enabled. And please
read this carefully: _not by default enabled_. Nothing prevents anyone to default enable it in their
make.conf, in any package.use file/dir or whereever they want.

This is just a default setting for a profile, which aims at minimal set of default enabled USE
flags. And in addition, currently ipv4 is still the default and almost noone has by default a native
ipv6 connection, so it does not even make sense to enable that USE flag by default.

So with this conclusion, i fully support the decision of blueness and thank him for his good work
for and with the hardened profile of Gentoo Linux.

--
Thomas Sachau

Gentoo Linux Developer
 
Old 02-21-2011, 08:11 PM
klondike
 
Default Adding ipv6 USE flag by default

El 21/02/11 21:34, Thomas Sachau escribiˇ:
> Am 21.02.2011 01:23, schrieb Aaron W. Swenson:
>> On 02/19/2011 12:02 PM, Anthony G. Basile wrote:
>>> On 02/15/2011 02:12 PM, Chris Frederick wrote:
>>>> Hi everyone,
>>>>
>>>> I'll chime in on this one. I want to clarify what is being asked, and add my two cents.
>>> Okay, I don't think there was a consensus on this issue, so I'm sure to
>>> make someone unhappy. I think for now, we'll leave the status quo, ie
>>> ipv6 off by default.
>>> If it had been a question of whether or not ipv6 would be included in
>>> hardened, then the issue would have been obvious. We must have ipv6.
>>> But the question was, do we enable or disable it *by default*. Those
>>> that wish can always switch it on so nothing is ultimately lost.
>>> The question came up because of the latest news about ipv4 address space
>>> being depleted, so we know ipv6 is coming. When ipv6 use becomes
>>> significant, we'll revisit the issue.
>>> (And please don't ask me what significant mean! I'm not even sure myself
>>
>> How about we shoot for World IPv6 Day? [1] Since everyone else will be
>> doing their test runs that day I think we should, too.
>> <snip>
> I suggest, you respect the decision of the hardened team and stop arguing against it after the
> decision was made. The ipv6 USE flag and only the USE flag is not by default enabled. And please
> read this carefully: _not by default enabled_. Nothing prevents anyone to default enable it in their
> make.conf, in any package.use file/dir or whereever they want.
I don't know what the rest of the hardened team thinks, but at least I
advocate for everybody to have a saying in this kind of discussions as
even if the decision has been taken it is not always late enough to
change it if it is a bad one. Seeing the discussion you can see that
Aaron hasn't participated before and was just sharing his point of view,
I don't see where the problem with that. In fact he was exposing some
data which had not been provided in the discussion prior to the
announcement.

Again it is just my opinion so feel free to correct me if you feel I'm
wrong.
 

Thread Tools




All times are GMT. The time now is 09:51 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org