[ARMedslack] IPv6 Default behaviour

dowelld at netscape.net dowelld at netscape.net
Thu Jun 27 08:37:08 UTC 2013 

 

 

-----Original Message-----
From: Robby Workman <robby at rlworkman.net>
To: armedslack <armedslack at lists.armedslack.org>
Sent: Thu, Jun 27, 2013 2:05 am
Subject: Re: [ARMedslack] IPv6 Default behaviour


On Wed, 26 Jun 2013 20:34:39 -0400 (EDT)
dowelld at netscape.net wrote:

> Has anyone got any idea about how to trun of the default behaviour of
> having every interface automatically assigned an IPv6 address when it
> comes up?
> 
> So far I've hunted around and around the interwebs, and pushed "0"
> into all sorts of files in /proc/sys/net/ipv6/conf/*/* all to no
> avail. The moment I bring an interface up an inet6 LLA address is
> automatically assigned to it.
> 
> I'm starting to wonder if Linux is an OS I really want to have
> anywhere near a computer of mine when it seems the designers of it
> decided it'd be a good idea to (by default) automatically open up a
> connectable address on every single nertwork interface, of every
> single device, without any consideration for whether an interface was
> protected or not.
> 
> I mean I've seen many utterly ridiculous decisions in my time in this
> industry, but I never thought I'd see one which left nearly every
> single linux system (all those where ip6tables hasn't been explicitly
> invoked anyway) vulnerable to attack (even if only from another
> system on the local network). Utter madness, with seemingly no way to
> disable it.
> 
> Any ideas/suggestions welcomed.


If they're just link local addresses, they're not connectable at 
all from outside.  Re the decisions, it's not linux - it's how 
ipv6 works:  http://www.openwall.com/presentations/IPv6/

-RW

_______________________________________________
ARMedslack mailing list
ARMedslack at lists.armedslack.org
http://lists.armedslack.org/mailman/listinfo/armedslack


Hi Robby,

Sorry, I'm not reassured to know that my systems are only being placed at risk by default on the local link.

If Microsoft did this with WIndows everyone would point out how stupid they were to automatically make an interface addressable without  protecting it behind a firewall.

I'm afraid it is linux, it's no different to the linux kernel automatically assigning an IPv4 address to every interface which has a connected cable. It could have been implemented that way, but it wasn't.


Thanks
Dave


 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.armedslack.org/pipermail/armedslack/attachments/20130627/815de8fe/attachment-0001.html>

More information about the ARMedslack mailing list