From: Michael Mol <mikemol@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [Bulk] Re: [gentoo-user] /etc/hosts include file?
Date: Fri, 08 Mar 2013 22:21:01 -0500 [thread overview]
Message-ID: <513AAA9D.60806@gmail.com> (raw)
In-Reply-To: <572473.5465.bm@smtp177.mail.ir2.yahoo.com>
[-- Attachment #1: Type: text/plain, Size: 14781 bytes --]
On 03/08/2013 07:45 PM, Kevin Chadwick wrote:
>>> What would have been best, could have been done years ago and
>>> not cost lots of money and even more in security breaches and
>>> what I meant by ipv5 and would still be better to switch to even
>>> today with everyone being happy to switch to it is simply ipv4
>>> with more bits for address space.
>>
>> This should be FAQ entry zero for the IPV6 FAQ... *NO* you can
>> *NOT* add more bits to IPV4, and still have it backwards
>> compatable. It won't work... period... end of story. Every piece
>> of hardware and software that deals with IPV4 has the concept of 32
>> bits *HARD-CODED* into it. Switching over to IPV4-extended would be
>> just as painfull as switching over to IPV6.
>
> No it would not, the headers would be different. All the hardware
> would have already updated because there would be no bad sides and
> it would have been released something like 15 years ago. But lets
> not discuss them as we would be here for an eternity and there are
> already whole websites dedicated to just that.
I don't know, you just dropped the 2-3 most trollish anti-IPv6 posts
I've ever seen.
>
> I re-iterate it would be worth hardware not being backwards
> compatible again to go to ipv4 with large address space today.
"IPv4 with large address space" would have taken just as long to deploy;
it's the hardware support that's held us back the most.
>
> http://www.hackingipv6networks.com/past-trainings/hip2011-hacking-ipv6-networks.pdf
>
> That's just on security. There's a whole bad side to it's
> functionality too.
>
Let's discuss security. I'll walk through the slide deck.
"We have much less experience with IPv6 than with IPv4"
That's a meaningless statement...
"IPv6 implementations are much less mature than their IPv4 counterparts."
Only in hardware Software has been much better. Windows has had full
IPv6 support since Vista. Linux has
had full IPv6 support for a few years, including IPSec. The software
implementations are written...the stuff that's still arriving is
feature-add.
Offload engines and managed switches haven't switched over because
clients were more interested in putting off a transition (the same
transition you'd have to go through for IPv4 with extended address
space) than paying for the upgrades. This would have happened with any
IPv4 replacement.
"Security products (firewalls, NIDS, etc.) have less support for IPv6
than for
IPv4"
Dedicated commercial products, yes. General-purpose products? Like I
said, Windows Vista made IPv6 a first-class protocol, including firewall
support. Linux's implementation is a bit quirky. I don't care for the
separation between iptables and ip6tables; I think people tend to write
an iptables script and forget to set up a firewall of any kind for IPv6.
Most of the builder tools (i.e. fwbuilder), require seperate setup
between the two, too.
That's why I use sanewall (formerly firehol); defined rules apply to
both IPv4 and IPv6.
"The complexity of the resulting network will greatly increase during
the transition/co-existence period:"
Yes, and that would apply to any transition period.
"Lack of trained human resources"
That's why people like me go out and do training sessions. (I'll be at
Penguicon again this year, if anyone else was thinking about going...)
That's why Hurricane Electric offers free online certification programs.
Regarding flow labels:
"Currently unused by many stacks – others use it improperly"
Honestly, I don't know about this. It's not something most people will
need to work with.
"Might be leveraged to perform “dumb” (stealth) address scans"
I don't understand the relevance; you get the same information by
observing the packet flow without the flow label.
"Might be leveraged to perform Denial of Service attacks"
So might absolutely anything.
Regarding hop limit:
"Could be leveraged for Detecting the Operating System of a remote node"
So can IPv4's TTL, which it's analogous to.
"Could be leveraged for Fingerprinting a remote physical device"
So can IPv4's TTL, which it's analogous to.
"Could be leveraged for Locating a node in the network topology"
tcptraceroute does this with IPv4 TTLs. And traceroute has been doing
this with IPV4's ICMP echo for decades.
"Could be leveraged for Evading Network Intrusion Detection Systems (NIDS)"
Just like IPv4 TTL.
"Could be leveraged for Reducing the attack exposure of some
hosts/applications"
Not sure what's being said here, but we're talking about a feature
directly analogous to IPv4 TTL.
(skipping the remainder of the section, as there's nothing in there
that's bad that's unique to IPv6)
(skipping the next several sections, as they're just general technical
training material, and don't discuss security implications)
Re Fragmentation security implications that are different from IPv4:
"The Identification field is much larger: chances of “IP ID collisions”
are reduced"
Good thing.
"Note: Overlapping fragments have been recently forbidden (RFC 5722) –
but they are still allowed by many Oses"
This will improve.
"IPv6 Idle scan"
Noted as being applicable to IPv4.
(skipping some general technical material aimed at sysadmin use for
securing their systems)
(skipping description of IPv6 headers; basic technical information)
(skipping suggested countermeasures for theorized attacks)
"IPv6 can be easily leveraged for evading firewalls."
Not if the firewall is set up properly to begin with. Part of that is
described in the preceding 'countermeasures' section. Most of the
remainder is leveraging the same source, dest, port and state data
that's known in IPv4. Finally, use IPSec if possible. (Right now, IPSec
is largely useful as a VPN technique natively supported by by layer 3)
"Most likely, firewalls will block packets with extension headersEs muy
probable que se haga común el filtrado (en firewalls) de paquetes que
contengan en encabezados de extensión"
Not really; firewalls will continue to be based on known factors, and
most of the interesting known factors are in the first header, not the
extension headers.
"The result will be: less flexibility, possibly preventing any use of
IPv6 exntesion headers"
Extension headers will be used where appropriate.
(skip more benign material)
"Some ICMPv6 messages are assumed to indicate “hard errors”. Some stacks
used to abort TCP connections when hard errors were
received. BSD-derived and Linux implementations don’t--Good!"
I believe Windows's stack is based on BSD. I don't know of any stacks
which do. (None are listed, either)
(skip portion which notes straightforward solutions)
(skip benign material)
Re ICMPv6 Echo Request/Echo response
"Also usually exploited for network reconnaissance"
A.K.A. 'traceroute', a known entity in IPv4.
(skip benign material)
Re Node Information Query/Response
"My take: unless you really need your nodes to support Node Information
messages, disable it (i.e., “sysctl –w net.inet6.icmp6.nodeinfo=0)."
Or even firewall it off at your network edge, like you would any
unblessed, unsolicited inbound traffic.
(skip benign material)
Re Address Resolution Games
"Neighbor Cache Poisoning attacks – the v6 version of V4’s ARP cache
poisoning"
Says it for me...same as IPv4's ARP poisoning. (Incidentally, this is
the attack bandied about the most by people arguing that IPv6 is insecure)
"Advertising “special” link-layer addresses, e.g.,"
That's probably a bug in the implementation. It will be fixed.
"Some implementations (FreeBSD, NetBSD) don’t enforce limits on the
number of entries that can be created in the Neighbor Cache"
Certainly that will change soon.
(Skipping MitM and DoS discussion, as it's analogous to IPv4's ARP
poisoning)
"Not much support in layer-2 security boxes to mitigate these attacks"
This is improving. It hadn't shown up yet because commercial purchasers
had been dragging their feet in demanding their vendors support IPv6 in
the first place.
(skip more benign material)
"Disable an Existing Router"
Depends on the attacker being on the local network, and is what RAGuard
is for.
"Exploit DAD for Denial of Service"
This is the first interesting attack I've seen mentioned in the slide
deck (and I'm on slide 109 out of 167, getting to it).
I don't think there's a way to mitigate against it, except to prevent
the attacker from getting on layer 2 network in the first place.
(Entirely doable with things like 802.1x.)
"Advertise Malicious Network Parameters"
Again, what RAGuard is for.
Re Autoconf Addresses & Privacy
"There were concerns that autoconf addresses hurt privacy, as they could
be used to correlate network activity"
Not all that interesting, actually. That kind of correlating activity is
happening more effectively with DPI and HTTP request headers, and *that*
sees through NAT, privacy addresses and proxy servers.
When people express concerns about autoconf addresses to me, I tell them
that if they're that worried about it, they need to already be using
source-obfuscating techniques like the Tor network.
(skip benign material)
"The use of a single “Destination Options” header is enough to evade
most implementations of RA-Guard."
Sadly, that's on the hardware vendors again. Hopefully, the
commercial-grade vendors will get their crap patched. There's no reason
(that I know of) for an RA-Guard implementation to need to inspect the
destination options header.
"This technique can also be exploited to circumvent Neighbor Discover
monitoring tools such as NDPMon"
I don't know so much about this attack, honestly.
Re DHCPv6
"It can be exploited in a similar way to Router Advertisement messages."
And protected in the same way.
Re MLD
"Potential issues: If a MLD-snooping switch is employed, MLD could be
exploited for Denial of Service attacks."
Largely the same class of attacks as if the attacker is on the local
segment. Enable MLD snooping if and only if you're willing to expand
your attack surface in that way. That's not a difficult question; it's
similar to asking whether you want to use a wireless bridge to a wired
network, or if you want to use a router instead.
Re IPSec
"IPsec support is currentlymantatory for IPv6 implementations – the IETF
is changing this requirement to “optional” thus acknowledging reality."
I have yet to encounter a widely-used IPv6 stack that does not support
IPSec. *BSD, Linux and Windows all support it. The idea of it being
"optional" is irrelevant to the question of whether it's available for
use by servers and desktop machines.
"Also, many IPv4 implementations support IPsec, while many IPv6
implementations do not."
As I said, I have yet to encounter a widely-used IPv6 stack that doesn't
support IPSec. Actually, I haven't encountered *any* IPv6 stack that
doesn't support IPSec. I imagine the ones that don't are in things like
voip phones.
"Most of the key problems (e.g., PKI) for IPsec deployment in IPv4 apply
to IPv6, as well."
This is true, if you want to use PKI for IPSec deployment. If you're
setting up static relationships between campus endpoints, it's not so
big a deal.
"There is no reason to believe that IPv6 will result in an increased use
of IPsec."
Bull. The biggest barrier to IPsec use has been NAT! If an intermediate
router has to rewrite the packet to change the apparent source and/or
destination addresses, then the cryptographic signature will show it,
and the packet will be correctly identified as having been tampered with!
With IPsec, NAT is unnecessary. (You can still use it if you need
it...but please try to avoid it!)
Re "DNS support for IPv6"
"Increased size of DNS responses due to larger addresses might be
exploited for DDos attacks"
That's not even significant. Have you looked at the size of DNS
responses? The increased size of the address pales in comparison to the
amount of other data already stuffed into the packet.
Re "IPv6 Transition Co-Existence Technologies"
"Original transition plan: deploy IPv6 before we ran out of IPv4
addresses, and eventually turn off IPv4 when no longer needed – it
didn’t happen"
That's correct; the IPv6 deployment didn't happen when it should have.
Instead, a ton of coping mechanisms for a shrinking address pool came
around. NAT is the big one. If IPv6 had been deployed early on, people
wouldn't think of "one IP address per customer" as the norm...and they
shouldn't have to.
"An attacker can connect to an IPv4-only network, and forge IPv6 Router
Advertisement messages. (*)"
Again, this depends on them being on the same layer 2 network segment.
The same class of attacks would be possible for any IPv4 successor that
implemented either RAs or DHCP.
(Yes, you will want to deploy the countermeasures described)
(skipping more benign material)
Re ISATAP
"An attacker could forge name resolution responses to--"
Secure your DNS.
"This could be used in conjunction with other attacks (e.g. forging DNS
responses such that--"
Secure your DNS.
Re Problems with 6to4
Actually, I'm going to skip most of this and simply acknowledge it: Yes.
6to4 sucks. It's terrible and horrible. *Everyone* of low-to-moderate
knowledge in IPv6 knows it. Use 6rd instead if you need that kind of
tunnel; at least you'll know who to yell at if it breaks.
Re Security Implications of Teredo:
Yes, Teredo sucks, too. Disable it.
Re 'Translation'
(pardon the US-centric view, here) All major ISPs have deployed (or are
in the process of deploying) native IPv6. Mobile carriers have deployed
IPv6. Tunnels will be largely unnecessary. NAT will remain, but it will
be more prevalent in IPv4 than in IPv6.
Re 'Exploiting Transition Technologies'
"Some systems (notably Windows) have support of trnasition technologies
enabled by default."
Yes. Disable Teredo. I'm not aware any other distro that enables a
tunneling protocol by default.
(skip benign material.)
Re Application-layer protocols
"A number of applications may leak IPv6 addresses: E-mail headers, P2P
applications"
As far as email headers, that's just as in IPv4. You can examine some
folks' IPv4 RFC1918 topology by their email headers today, so don't tell
me IPv6 brings much new to the table.
As for P2P applications, this is actually a good thing; P2P applications
can use what they learn for more efficient peer association.
(skip the rest, as it's benign)
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 555 bytes --]
next prev parent reply other threads:[~2013-03-09 3:21 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-07 22:24 [gentoo-user] /etc/hosts include file? Alan McKinnon
2013-03-07 23:50 ` Michael Mol
2013-03-08 0:29 ` Michael Mol
2013-03-08 8:32 ` Alan McKinnon
2013-03-08 13:40 ` Michael Mol
2013-03-08 13:54 ` Alan McKinnon
2013-03-08 19:50 ` [Bulk] " Kevin Chadwick
2013-03-08 19:55 ` Michael Mol
2013-03-08 21:49 ` Kevin Chadwick
2013-03-08 22:36 ` Pandu Poluan
2013-03-09 0:50 ` Kevin Chadwick
2013-03-09 3:27 ` Michael Mol
2013-03-09 12:53 ` Kevin Chadwick
2013-03-10 21:28 ` Michael Mol
2013-03-11 23:09 ` Kevin Chadwick
2013-03-12 5:05 ` Michael Mol
2013-03-09 0:13 ` Walter Dnes
2013-03-09 0:41 ` Michael Mol
2013-03-10 1:42 ` Walter Dnes
2013-03-10 4:59 ` Michael Orlitzky
2013-03-10 21:09 ` Michael Mol
2013-03-10 5:19 ` Alan McKinnon
2013-03-10 21:07 ` Michael Mol
2013-03-10 21:43 ` Alan McKinnon
2013-03-10 22:02 ` Michael Mol
2013-03-11 4:00 ` Walter Dnes
2013-03-11 4:37 ` Michael Mol
2013-03-11 8:22 ` Alan McKinnon
2013-03-11 22:45 ` Walter Dnes
2013-03-11 23:39 ` Kevin Chadwick
2013-03-12 3:58 ` Walter Dnes
2013-03-12 0:25 ` Alan McKinnon
2013-03-12 2:02 ` Michael Mol
2013-03-12 11:29 ` Alan McKinnon
2013-03-13 0:26 ` [Bulk] " Kevin Chadwick
2013-03-11 23:31 ` Kevin Chadwick
2013-03-12 0:37 ` Alan McKinnon
2013-03-09 0:45 ` Kevin Chadwick
2013-03-09 3:21 ` Michael Mol [this message]
2013-03-09 12:53 ` Kevin Chadwick
2013-03-10 22:00 ` Michael Mol
2013-03-11 1:56 ` Michael Orlitzky
2013-03-11 2:33 ` Michael Mol
2013-03-11 22:34 ` Kevin Chadwick
2013-03-12 3:36 ` Michael Mol
2013-03-08 15:39 ` Florian Philipp
2013-03-08 4:30 ` Pandu Poluan
2013-03-08 8:23 ` Alan McKinnon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=513AAA9D.60806@gmail.com \
--to=mikemol@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox