| |||||||||||||
World IPv6 Launch: this time it's for real (ars technica)World IPv6 Launch: this time it's for real (ars technica)Posted Jan 20, 2012 9:57 UTC (Fri) by jengelh (subscriber, #33263)In reply to: World IPv6 Launch: this time it's for real (ars technica) by paravoid Parent article: World IPv6 Launch: this time it's for real (ars technica)
Just use this patch and push it with all your might to the maintainers, and you get the secure-by-default variant. diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c index c9e37c8..7915be9 100644 --- a/net/ipv6/netfilter/ip6table_filter.c +++ b/net/ipv6/netfilter/ip6table_filter.c @@ -43,8 +43,7 @@ ip6table_filter_hook(unsigned int hook, struct sk_buff *skb, static struct nf_hook_ops *filter_ops __read_mostly; -/* Default to forward because I got too much mail already. */ -static int forward = NF_ACCEPT; +static int forward = NF_DROP; module_param(forward, bool, 0000); static int __net_init ip6table_filter_net_init(struct net *net)
(Log in to post comments)
World IPv6 Launch: this time it's for real (ars technica) Posted Jan 20, 2012 11:52 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
Please no.
Trying to secure things by ineptly closing off local networks should immediately cause one to be barred from using any computers for at least 20 years. This model is fundamentally flawed in the modern world. 10 years ago it was fine, since most organizations had just a few connections to the outside world that could be easily monitored.
Not anymore.
Now most people have wireless (hey, do you know that your guest's laptop has a virus?), 3G phones that can connect both to local WiFi and 3G network, drive-by browser/PDF/whatever exploits and so on. Attempting to secure network by forbidding incoming packet forwarding is worse than useless because it gives a false sense of security.
What should be done instead?
I have no idea. We need to make _each_ device to be reasonably secure when exposed to the Internet (because they already are, really). And that in itself is a complex task.
World IPv6 Launch: this time it's for real (ars technica) Posted Jan 20, 2012 20:39 UTC (Fri) by raven667 (subscriber, #5198) [Link]
That's pretty much already done for desktop systems although less-so for appliances and other network devices. Every major desktop OS has a built-in packet filter firewall enabled by default and should be pretty safe to plug into the wild IPv6 Internet without any additional firewalling IMHO. In addition, IPv6 networks are much harder to scan remotely because the subnets are essentially infinitely large, of course a local device can easily inventory other local devices using the Neighbor Discovery Protocol. A better way to scan would probably be to break into web servers and pull addresses out of the log files rather than going blind, and even then the use of Privacy Addresses makes that info much less useful.
The big security vulnerability of modern Desktop OSs are the client applications, the web browser, image and video viewers, etc. Packet filters have no effect on those kinds of security threats.
World IPv6 Launch: this time it's for real (ars technica) Posted Jan 21, 2012 7:51 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]
>That's pretty much already done for desktop systems although less-so for appliances and other network devices. Every major desktop OS has a built-in packet filter firewall enabled by default and should be pretty safe to plug into the wild IPv6 Internet without any additional firewalling IMHO.
That's a very small piece of required functionality. For example, a lot of home routers have easy passwords like "admin" by default. It should be fine since management interface is not exposed on WAN ports, right?
Well, wrong. There's at least one worm that tries to login into D-Link routers and hijack DNS server settings. And as home routers get more powerful it's quite easy to conceive them making man-in-the-middle attacks on SSL or spying on network printing protocols.
Then there's an issue of updates. There's no infrastructure for centralized updates of things like network printers and routers.
World IPv6 Launch: this time it's for real (ars technica) Posted Jan 22, 2012 17:03 UTC (Sun) by raven667 (subscriber, #5198) [Link]
In all honesty there will probably be a lot of bad equipment out there that does stupid stuff, esp. with a whole new Internet Protocol to make mistakes with but these problems aren't unsolvable. For example IPv6 has link-local networking support, which is already used in home gear because it's more robust than trying to do IPv4 link-local networking. Only binding the admin interface or service on the link-local network address unless specifically configured otherwise could take a lot of the pain out of home devices like routers and printers. In any event, worms trying to take over home routers, whether they do that via internet-exposed admin interfaces or by bouncing through a local machine through browser exploits is somewhat unrelated to the actual protocol used. Actually a lot of the precautions necessary on the IPv4 internet might have a lower benefit to cost ratio in IPv6 just because the address space is so large, making scanning unfeasible and making security-by-obscurity a more viable strategy.
World IPv6 Launch: this time it's for real (ars technica) Posted Jan 23, 2012 15:10 UTC (Mon) by drag (subscriber, #31333) [Link]
You need IPv6 link local for Windows 7 to do home networking.
It's a hard requirement. If you disable the IPv6 protocol in modern Widnows systems it fundamentally breaks stuff.
You do NOT need IPv6 support in your ISP or your network equipment to have IPv6 access to the internet, also.
World IPv6 Launch: this time it's for real (ars technica) Posted Jan 26, 2012 16:01 UTC (Thu) by dwmw2 (subscriber, #2063) [Link]
I agree with all that you say, but you should have called attention to the fact that there is a *particularly* hot spot in Hell reserved for those who DROP instead of REJECT. That's *undiagnosable* gratuitous network breakage, rather than just gratuitous network breakage.
World IPv6 Launch: this time it's for real (ars technica) Posted Jan 26, 2012 20:48 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
REJECT has it's own problems, namely that forged source packets sent to you will cause you rejection to go to the forged IP. so by doing a REJECT instead of a DROP, you allow yourself to be used as part of a DDOS attack (never mind the extra bandwidth and processing power it eats up to do the REJECT instead of a DROP)
security best practice is to do DROP instead of REJECT, both for this reason and also BECAUSE it gives no feedback to the attacker, so they can't easily tell what's going on.
World IPv6 Launch: this time it's for real (ars technica) Posted Jan 26, 2012 21:09 UTC (Thu) by raven667 (subscriber, #5198) [Link]
How much of an amplification is a REJECT compared to the incoming traffic anyway? ICMP dest-unreach is pretty small... In any event, for many security admins, the usability failure of DROP over REJECT is worse than any security risk of using REJECT instead of DROP. I've certainly made that conclusion myself.
World IPv6 Launch: this time it's for real (ars technica) Posted Jan 26, 2012 21:40 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]
it's not an amplification of the attacker, but it does spread the inbound traffic so that the target has a harder time blocking it.
I tend to agree with you on the visibility issue, but I think it's a close call, with different answers for different people, and nowhere close to "there's a special place in hell reserved" for people who do this.
World IPv6 Launch: this time it's for real (ars technica) Posted Jan 27, 2012 9:39 UTC (Fri) by ekj (guest, #1524) [Link]
Well, when you REJECT, you risk becoming a DDOS-mirror, someone will bounce their attack of you, which makes it hard for the victim to block.
My firewall will REJECT the first 100 disallowed packets coming from a given IP, but do it 101+ times, and all your packets that'd otherwise cause REJECT, will cause DROP instead. (it's a leaky bucket of size 100, that leaks 1/minute)
|
|||||||||||||