FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 06-26-2012, 08:36 AM
Darknight
 
Default ipv6 on by default for hardened profile

Il 26/06/2012 09:49, Michael Orlitzky ha scritto:

On 06/26/2012 03:38 AM, Darknight wrote:

Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
- no scary (j/k) ipv6 enabled by default
- ipv6 enabled in a matter of seconds without need for an internet
connection

The news item and a word about the sysctl thing in the docs would be good.



Does this actually work, or does it cause half of the software compiled
with USE="ipv6" to crash?


I vaguely remember something quirky about those sysctl settings but no
crashes.



Also, I don't think it's much easier than setting USE="-ipv6" =)


It's slightly different, I agree, but those that don't like ipv6 on by
default may appreciate it.
 
Old 06-26-2012, 01:14 PM
Kevin Chadwick
 
Default ipv6 on by default for hardened profile

> BTW, is there exists (Gentoo?) guides/howtos which explain these issues
> (preferably from "differences from IPv4" point of view) to average admin
> who know how to setup IPv4 and know nothing about IPv6,

There was a recent presentation (not gentoo) about security issues in
ipv6 and it was extensive.

I presume the issue is having ipv6 to install so it should be enabled
why not offer an easy disable option or question to minimse the window
of opportunity, perhaps pre-emptive for net install.

Personally when disabling ipv6 I choose the module removal or
blacklisting, assuming you don't use it locally or it falls back to
ipv4.

--
__________________________________________________ ______

Why not do something good every day and install BOINC.
__________________________________________________ ______
 
Old 06-27-2012, 12:33 AM
"Francisco Blas Izquierdo Riera (klondike)"
 
Default ipv6 on by default for hardened profile

El 26/06/12 05:03, Alex Efros escribió:
> Hi!
Hi!
> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>>> I'm alerting users so that you can make whatever changes you like to
>>> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
>>> default ipv6 on all hardened profiles.
>> I use ipv6 on all my servers (not that everyone does). We will have to
>> enable it eventually, sooner is probably better then later I think.
> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> different routing tables and two different firewalls.
Different routing tables maybe but the firewall is still the same, the
iptables based one. And with the ipv6 USE you get it.
> Also, I suppose
> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
> may (and probably will!) result in creating new security holes until admin
> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
The use has little to nothing to see with this, the ipv6 is not a magic
use flag that necessarily works with all packages, it only does it with
those that have it. Other may just not have an option to disable ipv6.
Anyway for this to happen you must (and these are all necessary conditions):
* Have an ipv6 route from the attacker to the affected machine
* Have ipv6 enable on the kernel.
* Have an ipv6 address assigned accesible by the attacker.
* Get the attacker to know said address (since bruteforcing the address
space is hard to say the least).
* Have anything listening on that address (depending on the attack the
icmpv6 server could be it but there are other services who listen to
ipv6 no matter what you do).

If one of them doesn't hold the risk is not much more than the risk some
uncalled code can provide which is still not much.
> And I suppose just trying to duplicate existing rules as is won't be
> enough because of new IPv6-specific features, which is absent in IPv4,
> and which should be additionally blocked/enabled too.
This depends a lot on which rules you have. In general it is more about
the address block than anything else.
> If I'm right (about creating new security holes because of enabling ipv6
> USE flag) then it may be bad idea to enable it by default until we'll be
> sure admin is ready for this (for example, we may check is IPv6 enabled in
> kernel and is there exists IPv6 firewall rules).
You are mostly wrong, the only issue I can think of is if you enabled
ipv6 on the kernel in which case you are probably fucked since daemons
may be listening there anyway even before the change.
> BTW, is there exists (Gentoo?) guides/howtos which explain these issues
> (preferably from "differences from IPv4" point of view) to average admin
> who know how to setup IPv4 and know nothing about IPv6, and provide
> minimum recommended configuration for IPv6 routing/firewall? I think
> enabling IPv6 by default should begins from writing such docs.
# ip6tables -A INPUT -j DROP
# ip6tables -A OUTPUT -j DROP
# ip6tables -A FORWARD -j DROP
There you are safe now.
 
Old 06-27-2012, 12:42 AM
"Francisco Blas Izquierdo Riera (klondike)"
 
Default ipv6 on by default for hardened profile

El 26/06/12 07:43, Michael Orlitzky escribió:
> It's easy enough to set USE="-ipv6" manually of course, but the same
> argument works for USE="ipv6". So, I think the default should be what
> most people want; i.e. what the fewest people will have to override. Do
> most hardened machines use ipv6?
These here is a nice fallacy it is called Argumentum ad Populum and
doesn't stands. Why? Because these is about having an usable system.
If you disable ipv6 on the profiles users on ipv6 only systems can't
then use the stages since they need to fetch system to rebuild the
packages and for that they need ipv6. So, since from a functionality
point of view enabling it won't leave on an unusable system after
unpacking the stage to users of either ipv4 or dual stack systems the
USE will be on.

We are not shoving anything through people's throats anyway you can
always disable it and you probably will since you must be a really bad
hardened system administrator if you don't recheck
the default USE flags before proceeding with the installation.
 
Old 06-27-2012, 12:51 AM
"Francisco Blas Izquierdo Riera (klondike)"
 
Default ipv6 on by default for hardened profile

El 26/06/12 08:26, Jonny Kent escribió:
>
> On Jun 25, 2012, at 10:43 PM, Michael Orlitzky <michael@orlitzky.com> wrote:
>
>> On 06/25/12 23:03, Alex Efros wrote:
>>> Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
>>> different routing tables and two different firewalls. Also, I suppose
>>> enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
>>> may (and probably will!) result in creating new security holes until admin
>>> will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
>>> And I suppose just trying to duplicate existing rules as is won't be
>>> enough because of new IPv6-specific features, which is absent in IPv4,
>>> and which should be additionally blocked/enabled too.
>> This is where I'm at -- being in the USA, I'll probably be long dead
>> before our upstream supports ipv6. I don't even know enough about ipv6
>> to know what I don't know, so the only safe course is to have it disabled.
>>
>> It's easy enough to set USE="-ipv6" manually of course, but the same
>> argument works for USE="ipv6". So, I think the default should be what
>> most people want; i.e. what the fewest people will have to override. Do
>> most hardened machines use
> As an end user of hardened working in a California educational institution I note that my institution doesn't yet have either firewall or router rules stabilized for ipv6 yet and don't expect them for probably another 6 months so whatever is decided it will be off on the servers I administer.
> Alex makes good points about the lack of expertise in ipv6 firewalls. Having ipv6 on by default would seem to be going against the spirit of the hardened profile since it opens systems to new attack vectors created unwittingly.
I have to disagree here, the hardened spirit is way more as described in
the Project Description at http://www.gentoo.org/proj/en/hardened/
>
> Hardened Gentoo is a project which oversees the research,
> implementation, and maintenance of security oriented projects for
> Gentoo Linux. We are a team of very competent individuals dedicated to
> bring advanced security to Gentoo with a number of subprojects.
>
Since ipv6 brings new security features to its users (like larger
address spaces making port scans over the network much harder) it
doesn't make sense to complicate the life to the people wanting to use
it on a hardened system for the sake of an negligible security risks
(larger text sections on some programs). This is manily because if you
don't want ipv6 you'll not enable it on the kernel anyway since by doing
so your stack will be exposed.
 
Old 06-27-2012, 12:55 AM
"Francisco Blas Izquierdo Riera (klondike)"
 
Default ipv6 on by default for hardened profile

El 26/06/12 09:38, Darknight escribió:
> Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
> - no scary (j/k) ipv6 enabled by default
> - ipv6 enabled in a matter of seconds without need for an internet
> connection
>
> The news item and a word about the sysctl thing in the docs would be
> good.
We'll not get a news item, the change is easily noticeable when
upgrading with emerge.

I'll send a small announcement to gentoo-user, twitt about it on the
twitter account and let it
on the chat channel topic for a while. But if you find it can be added
to any of the existing docs,
or feel like writing your own doc, don't hesitate to say so, doc writers
are needed and welcome here.
 
Old 06-27-2012, 07:19 AM
Alex Efros
 
Default ipv6 on by default for hardened profile

Hi!

On Wed, Jun 27, 2012 at 02:33:49AM +0200, Francisco Blas Izquierdo Riera (klondike) wrote:
> > Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> > different routing tables and two different firewalls.
> Different routing tables maybe but the firewall is still the same, the
> iptables based one. And with the ipv6 USE you get it.

By "two different firewalls" I mean needs in supporting two different sets
of firewall rules, one for iptables and second for ip6tables.

> Anyway for this to happen you must (and these are all necessary conditions):
> * Have an ipv6 route from the attacker to the affected machine
> * Have ipv6 enable on the kernel.
> * Have an ipv6 address assigned accesible by the attacker.
> * Get the attacker to know said address (since bruteforcing the address
> space is hard to say the least).
> * Have anything listening on that address (depending on the attack the
> icmpv6 server could be it but there are other services who listen to
> ipv6 no matter what you do).

I've no idea how many people have IPv6 enabled in kernel unintentionally,
but all other conditions in many cases will be satisfied unintentionally:
* route usually exists between two machines supporting same protocol
* ipv6 address may be automatically assigned by ISP by dhcp/ppp
* address may be known using dns/dyndns, also bruteforcing addresses
provided by same ISP isn't more complicated than bruteforcing IPv4
addresses, because ISP usually provide them in same predictable way
* with ipv6 USE flag enabled many, if not most, daemons will be listening
on IPv6 address without special configuration by admin

I.e. if you've IPv6 enabled in kernel, and your ISP at some point will
decide to provide IPv6 addresses, with default USE=ipv6 your system and
services may become unintentionally accessible by IPv6.

So, only real condition from your list is enable/disable IPv6 in kernel.

> > BTW, is there exists (Gentoo?) guides/howtos which explain these issues
> > (preferably from "differences from IPv4" point of view) to average admin
> > who know how to setup IPv4 and know nothing about IPv6, and provide
> > minimum recommended configuration for IPv6 routing/firewall? I think
> > enabling IPv6 by default should begins from writing such docs.
> # ip6tables -A INPUT -j DROP
> # ip6tables -A OUTPUT -j DROP
> # ip6tables -A FORWARD -j DROP
> There you are safe now.

Safe, but don't working. Do you enable ipv6 USE flag just to force people
to either disable unintentionally enabled IPv6 in kernel and/or add this
ip6tables configuration? I suppose you enable ipv6 USE flag to make it
easier for people to start using IPv6. But to use IPv6 these ip6tables
rules doesn't helps - we really need docs how to setup IPv6 firewall in
secure way, written by people who not just read IPv6 RFCs, but understood
all security implications of IPv6-specific features. Last time I tried to
google for such docs was few years ago, but I found nothing at all.

--
WBR, Alex.
 
Old 06-27-2012, 07:28 AM
Hinnerk van Bruinehsen
 
Default ipv6 on by default for hardened profile

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 27.06.2012 09:19, Alex Efros wrote:
> Hi!
>
<SNIP>
>> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP #
>> ip6tables -A FORWARD -j DROP There you are safe now.
>
> Safe, but don't working. Do you enable ipv6 USE flag just to force
> people to either disable unintentionally enabled IPv6 in kernel
> and/or add this ip6tables configuration? I suppose you enable ipv6
> USE flag to make it easier for people to start using IPv6. But to
> use IPv6 these ip6tables rules doesn't helps - we really need docs
> how to setup IPv6 firewall in secure way, written by people who not
> just read IPv6 RFCs, but understood all security implications of
> IPv6-specific features. Last time I tried to google for such docs
> was few years ago, but I found nothing at all.
>

I think firewall-config is a mystery to many people. But you're right:
good documentation would be nice!

Concerning the ipv6-USEFLAG: Since there may be packages with no
compile-time option or packages which have one but with ebuilds that
don't use it there is only one option to be safe: disable it in your
kernelconfig.

Just thinking "No USEFLAG equals security" is simply wrong and even
adds a layer of obfuscation where you may think that you're safe while
you aren't.

I think it doesn't matter security-wise if ipv6 is enabled or disabled
by default because you have to disable it inside the kernel to be on
the safe side.

WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP6rYaAAoJEJwwOFaNFkYcwIMH/A5mNGg2EClgS4f/YTsvmuyq
vQvzcrh56/zob2Qf7OHFNvTWSXcyu70nqkuuce1qg0Je/oMsGJoewz+0xSbIoX1I
/S+dWHHCaUJQMZc+w8rhjh7Rvl3zBm32lja9bmBCLDfsbXiPXHf Ipj/LIcOEEHsN
Tn2+ntkjQIE3ehMjmO/Ke7w5XuSokP4yDzmeSZ0q7soTVWCIrMU1YB+Flyx11qnl
2g1focGTQm5n8TDjopbsppM5l4jodFeWW2eaH9Fgy2J21kQEUF qammvfbI8+nI89
J/+Idvge/0s9ToKACziY6Z6XT4CnKl0+pQhDjJjl6W3wV6ZQVRZxi+e9rkz EmUo=
=O/Bt
-----END PGP SIGNATURE-----
 
Old 06-27-2012, 12:42 PM
"Anthony G. Basile"
 
Default ipv6 on by default for hardened profile

On 06/25/2012 11:03 PM, Alex Efros wrote:

Hi!

On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:

I'm alerting users so that you can make whatever changes you like to
ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
default ipv6 on all hardened profiles.

I use ipv6 on all my servers (not that everyone does). We will have to
enable it eventually, sooner is probably better then later I think.


Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
different routing tables and two different firewalls. Also, I suppose
enabling IPv6 on any server/router with non-trivial IPv4 firewall rules
may (and probably will!) result in creating new security holes until admin
will develop IPv6 firewall rules similar to existing IPv4 firewall rules.
And I suppose just trying to duplicate existing rules as is won't be
enough because of new IPv6-specific features, which is absent in IPv4,
and which should be additionally blocked/enabled too.

If I'm right (about creating new security holes because of enabling ipv6
USE flag) then it may be bad idea to enable it by default until we'll be
sure admin is ready for this (for example, we may check is IPv6 enabled in
kernel and is there exists IPv6 firewall rules).

BTW, is there exists (Gentoo?) guides/howtos which explain these issues
(preferably from "differences from IPv4" point of view) to average admin
who know how to setup IPv4 and know nothing about IPv6, and provide
minimum recommended configuration for IPv6 routing/firewall? I think
enabling IPv6 by default should begins from writing such docs.



Please opt out. USE="-ipv6" in /etc/make.conf

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
 
Old 06-27-2012, 12:44 PM
"Anthony G. Basile"
 
Default ipv6 on by default for hardened profile

On 06/26/2012 03:49 AM, Michael Orlitzky wrote:

On 06/26/2012 03:38 AM, Darknight wrote:

Enable ipv6 use flag and disable ipv6 in /etc/sysctl.conf?
- no scary (j/k) ipv6 enabled by default
- ipv6 enabled in a matter of seconds without need for an internet
connection

The news item and a word about the sysctl thing in the docs would be good.



Does this actually work, or does it cause half of the software compiled
with USE="ipv6" to crash?

Also, I don't think it's much easier than setting USE="-ipv6" =)


Those who need to bootstap out of a stage3 in an ipv6 only env need
USE="ipv6" by default. Please opt out with USE="-ipv6" if you don't
want it.


--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
 

Thread Tools




All times are GMT. The time now is 02:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org