[ARMedslack] IPv6 Default behaviour

dowelld at netscape.net dowelld at netscape.net
Thu Jun 27 12:48:11 UTC 2013 

They also put the interface they bring up behind a firewall, which prevents access to privileged ports.

The Linux autoconfiguration can't be disabled, at least I can't disable it. So when my appliance starts all the services it provides are open to be attacked until the start up scripts process the ip6tables rules I've written.

I can't remove the auto configured address on startup, I've tried that at various points in the startup, it just gets rejected by the kernel.

Basically any linux system I start is started with an autoconfigured interface with a unique address which is opened to any other system on the local network. I have no ability to prevent or control that. I can't prevent any other system on the local network from connecting to the apache server through that interface and attempting to push malware of one form or another into it. I can't prevent some malware from a windows systems attempting to infect any files on fileshares available through that interface, I basically have just lost the ability to secure my systems at start up.

Someone somewhere thought this was a good idea, all I can see are great big gaping security holes.

I can understand the people who wrote IPv6 specs thinking designing their protocol so every computer could find it's neighbours, and thus make use of locally available network resources easily, writing it like that. They're not the kind of people who think about writing malware which looks for access to other systems to infect them.

I can't for the life of me understand why anyone who lives/works in the real world, where unadulterated access to systems through unsecured network interfaces has proven time and time again to be a problem, would implement a system which created such unprotected interfaces in their OS.

My only option seems to be to prevent any access to any service through IPv6... some replacement protocol.



Thanks
Dave

 

 

 

-----Original Message-----
From: Geoff Walton <geoff at ohdoughnut.com>
To: Slackware ARM port <armedslack at lists.armedslack.org>
Sent: Thu, Jun 27, 2013 12:34 pm
Subject: Re: [ARMedslack] IPv6 Default behaviour


Microsoft does do this with Windows, if you don't disable ipv6.  Its part of the spec.  




On Thu, Jun 27, 2013 at 6:08 AM, Ottavio Caruso <ottavio2006-usenet2012 at yahoo.com> wrote:

On 27 June 2013 01:34,  <dowelld at netscape.net> wrote:
> Has anyone got any idea about how to trun of the default behaviour of having
> every interface automatically assigned an IPv6 address when it comes up?


Never tried it myself but have you tried adding "ipv6.disable=1" as
kernel command line parameter?




--
Ottavio

_______________________________________________
ARMedslack mailing list
ARMedslack at lists.armedslack.org
http://lists.armedslack.org/mailman/listinfo/armedslack





_______________________________________________
ARMedslack mailing list
ARMedslack at lists.armedslack.org
http://lists.armedslack.org/mailman/listinfo/armedslack

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.armedslack.org/pipermail/armedslack/attachments/20130627/6928b131/attachment.html>

More information about the ARMedslack mailing list