FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 06-27-2012, 12:53 PM
"Aaron W. Swenson"
 
Default ipv6 on by default for hardened profile

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/26/2012 08:33 PM, Francisco Blas Izquierdo Riera (klondike) wrote:
> El 26/06/12 05:03, Alex Efros escribió:
>> Hi!
> Hi!
>> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>>>> I'm alerting users so that you can make whatever changes you
>>>> like to ipv6 in your /etc/make.conf. In about 24 hours I
>>>> will turn on by default ipv6 on all hardened profiles.
>>> I use ipv6 on all my servers (not that everyone does). We will
>>> have to enable it eventually, sooner is probably better then
>>> later I think.
>> Correct me if I'm wrong, but enabling IPv6 mean needs in
>> supporting two different routing tables and two different
>> firewalls.
> Different routing tables maybe but the firewall is still the same,
> the iptables based one. And with the ipv6 USE you get it.
>> Also, I suppose enabling IPv6 on any server/router with
>> non-trivial IPv4 firewall rules may (and probably will!) result
>> in creating new security holes until admin will develop IPv6
>> firewall rules similar to existing IPv4 firewall rules.
> The use has little to nothing to see with this, the ipv6 is not a
> magic use flag that necessarily works with all packages, it only
> does it with those that have it. Other may just not have an option
> to disable ipv6. Anyway for this to happen you must (and these are
> all necessary conditions): * Have an ipv6 route from the attacker
> to the affected machine * Have ipv6 enable on the kernel. * Have an
> ipv6 address assigned accesible by the attacker. * Get the attacker
> to know said address (since bruteforcing the address space is hard
> to say the least). * Have anything listening on that address
> (depending on the attack the icmpv6 server could be it but there
> are other services who listen to ipv6 no matter what you do).
>
> If one of them doesn't hold the risk is not much more than the risk
> some uncalled code can provide which is still not much.
>> And I suppose just trying to duplicate existing rules as is won't
>> be enough because of new IPv6-specific features, which is absent
>> in IPv4, and which should be additionally blocked/enabled too.
> This depends a lot on which rules you have. In general it is more
> about the address block than anything else.
>> If I'm right (about creating new security holes because of
>> enabling ipv6 USE flag) then it may be bad idea to enable it by
>> default until we'll be sure admin is ready for this (for example,
>> we may check is IPv6 enabled in kernel and is there exists IPv6
>> firewall rules).
> You are mostly wrong, the only issue I can think of is if you
> enabled ipv6 on the kernel in which case you are probably fucked
> since daemons may be listening there anyway even before the
> change.
>> BTW, is there exists (Gentoo?) guides/howtos which explain these
>> issues (preferably from "differences from IPv4" point of view) to
>> average admin who know how to setup IPv4 and know nothing about
>> IPv6, and provide minimum recommended configuration for IPv6
>> routing/firewall? I think enabling IPv6 by default should begins
>> from writing such docs.
> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP #
> ip6tables -A FORWARD -j DROP There you are safe now.
>
This is almost what I wrote to send to the list, but decided to wait a
day and sleep on it. But mine had more pepper in it.

- - Aaron

- --
Mr. Aaron W. Swenson
Gentoo Linux Developer
Email : titanofold@gentoo.org
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0
GnuPG ID : D1BBFDA0


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk/rAj0ACgkQVxOqA9G7/aBlCQD7B0xh96+iVtth0QU/EZeThp9F
uAiCVAj5OCRW6XgJVIcBAKIDIvU6U172nKz1UC3hUtvDdSNPZY FDysY1EpmDJqTG
=ND1t
-----END PGP SIGNATURE-----
 
Old 06-27-2012, 01:02 PM
"Aaron W. Swenson"
 
Default ipv6 on by default for hardened profile

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/27/2012 03:19 AM, Alex Efros wrote:
> Hi!
>
> On Wed, Jun 27, 2012 at 02:33:49AM +0200, Francisco Blas Izquierdo
> Riera (klondike) wrote:
>>> Correct me if I'm wrong, but enabling IPv6 mean needs in
>>> supporting two different routing tables and two different
>>> firewalls.
>> Different routing tables maybe but the firewall is still the
>> same, the iptables based one. And with the ipv6 USE you get it.
>
> By "two different firewalls" I mean needs in supporting two
> different sets of firewall rules, one for iptables and second for
> ip6tables.
>
>> Anyway for this to happen you must (and these are all necessary
>> conditions): * Have an ipv6 route from the attacker to the
>> affected machine * Have ipv6 enable on the kernel. * Have an ipv6
>> address assigned accesible by the attacker. * Get the attacker to
>> know said address (since bruteforcing the address space is hard
>> to say the least). * Have anything listening on that address
>> (depending on the attack the icmpv6 server could be it but there
>> are other services who listen to ipv6 no matter what you do).
>
> I've no idea how many people have IPv6 enabled in kernel
> unintentionally, but all other conditions in many cases will be
> satisfied unintentionally: * route usually exists between two
> machines supporting same protocol * ipv6 address may be
> automatically assigned by ISP by dhcp/ppp * address may be known
> using dns/dyndns, also bruteforcing addresses provided by same ISP
> isn't more complicated than bruteforcing IPv4 addresses, because
> ISP usually provide them in same predictable way * with ipv6 USE
> flag enabled many, if not most, daemons will be listening on IPv6
> address without special configuration by admin
>
> I.e. if you've IPv6 enabled in kernel, and your ISP at some point
> will decide to provide IPv6 addresses, with default USE=ipv6 your
> system and services may become unintentionally accessible by IPv6.
>
> So, only real condition from your list is enable/disable IPv6 in
> kernel.
>
>>> BTW, is there exists (Gentoo?) guides/howtos which explain
>>> these issues (preferably from "differences from IPv4" point of
>>> view) to average admin who know how to setup IPv4 and know
>>> nothing about IPv6, and provide minimum recommended
>>> configuration for IPv6 routing/firewall? I think enabling IPv6
>>> by default should begins from writing such docs.
>> # ip6tables -A INPUT -j DROP # ip6tables -A OUTPUT -j DROP #
>> ip6tables -A FORWARD -j DROP There you are safe now.
>
> Safe, but don't working. Do you enable ipv6 USE flag just to force
> people to either disable unintentionally enabled IPv6 in kernel
> and/or add this ip6tables configuration? I suppose you enable ipv6
> USE flag to make it easier for people to start using IPv6. But to
> use IPv6 these ip6tables rules doesn't helps - we really need docs
> how to setup IPv6 firewall in secure way, written by people who not
> just read IPv6 RFCs, but understood all security implications of
> IPv6-specific features. Last time I tried to google for such docs
> was few years ago, but I found nothing at all.
>

Those who have IPv6 enabled in the kernel unintentionally probably
aren't very security minded and probably aren't using Hardened.
They're moot. We cannot help reckless individuals.

As far as I've seen with the ip6tables, the rules are the same. They
work the same way as iptables. There's just a bit of an accent to some
rules, which is usually the appending of '6',(e.g., icmp6 instead of
icmp).

- --
Mr. Aaron W. Swenson
Gentoo Linux Developer
Email : titanofold@gentoo.org
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0
GnuPG ID : D1BBFDA0


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk/rBHwACgkQVxOqA9G7/aA8mgD/SWOUViEekO2gFkfujne+K/1v
vJNrYSXaq/qEBdmTUj4A/jPU/0lROjqprvZ7YOb+kgYAFVof7OIRs0kEZYiDyI0l
=MCdd
-----END PGP SIGNATURE-----
 
Old 06-27-2012, 01:11 PM
Kevin Chadwick
 
Default ipv6 on by default for hardened profile

> Those who have IPv6 enabled in the kernel unintentionally probably
> aren't very security minded and probably aren't using Hardened.
> They're moot. We cannot help reckless individuals.

Funny how you call most of the population reckless but I guess you mean
in the context of hardened and it's probably true in terms or
computer security.

I dug out that presentation.

http://www.hackingipv6networks.com/past-trainings/hip2011-hacking-ipv6-networks.pdf

--
__________________________________________________ ______

Why not do something good every day and install BOINC.
__________________________________________________ ______
 
Old 06-27-2012, 02:57 PM
Michael Orlitzky
 
Default ipv6 on by default for hardened profile

On 06/26/12 20:42, Francisco Blas Izquierdo Riera (klondike) wrote:
> El 26/06/12 07:43, Michael Orlitzky escribió:
>> It's easy enough to set USE="-ipv6" manually of course, but the same
>> argument works for USE="ipv6". So, I think the default should be what
>> most people want; i.e. what the fewest people will have to override. Do
>> most hardened machines use ipv6?
> These here is a nice fallacy it is called Argumentum ad Populum and
> doesn't stands. Why? Because these is about having an usable system.
> If you disable ipv6 on the profiles users on ipv6 only systems can't
> then use the stages since they need to fetch system to rebuild the
> packages and for that they need ipv6. So, since from a functionality
> point of view enabling it won't leave on an unusable system after
> unpacking the stage to users of either ipv4 or dual stack systems the
> USE will be on.

I'm not using "most people..." to support my argument; "most people
don't use ipv6" *is* my argument, so it's hardly a fallacy. The defaults
should be what cause the least amount of pain to the fewest people.

Anyway, I think I missed this earlier, and it makes the point moot: if
the hardened stages *must* be built with the default USE flags, then
ipv6 should be on. If they must, I think that's probably not ideal but
orthogonal to the current discussion.
 
Old 06-27-2012, 04:42 PM
"Francisco Blas Izquierdo Riera (klondike)"
 
Default ipv6 on by default for hardened profile

El 27/06/12 09:19, Alex Efros escribió:
> Safe, but don't working. Do you enable ipv6 USE flag just to force people
> to either disable unintentionally enabled IPv6 in kernel and/or add this
> ip6tables configuration?
No, we do it because otherwise the stage3 is unusable on ipv6 only
environments and because people can still manually disable it.
> I suppose you enable ipv6 USE flag to make it
> easier for people to start using IPv6. But to use IPv6 these ip6tables
> rules doesn't helps - we really need docs how to setup IPv6 firewall in
> secure way, written by people who not just read IPv6 RFCs, but understood
> all security implications of IPv6-specific features. Last time I tried to
> google for such docs was few years ago, but I found nothing at all.
I couldn't indeed find a good firewall document for ipv4 so...
 
Old 06-28-2012, 01:43 PM
David Sommerseth
 
Default ipv6 on by default for hardened profile

On 26/06/12 05:03, Alex Efros wrote:
> If I'm right (about creating new security holes because of enabling ipv6
> USE flag) then it may be bad idea to enable it by default until we'll be
> sure admin is ready for this (for example, we may check is IPv6 enabled in
> kernel and is there exists IPv6 firewall rules).

Yes, you are right. Enabling IPv6 is the same as enabling a completely
new protocol. Configuration, routing and firewalls needs to be set up.

But there is an easy way to "opt-out" which could easily be described.
If the default kernel config builds IPv6 support as a module, you can
easily do 'modprobe -r ipv6' and you don't have IPv6 enabled on a
running kernel. This can also be added to the modprobe blacklist as
well, so it's not loaded upon boot. Or for those configuring their own
kernels, disabling the IPv6 module can be another alternative. These
alternatives can easily be documented, IMHO.


kind regards,

David Sommerseth
 

Thread Tools




All times are GMT. The time now is 07:07 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org