On 27/02/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > On 26/02/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> > > wrote: > >> Van Hauser held a speach at the 22C3 about attacking IPv6. > >> He also said that even OpenBSD is affected by some of the attacks. > >> > >> A working stream can be found here: > >> mms://streaming.fem.tu-ilmenau.de/ccc/22c3/2005-12-29_-_22c3_-_Saal4_Attacking_the_IPv6_Protocol_Suite/22c3_saal4_2.wmv > >> > >> If the link wont work: > >> http://22c3.fem.tu-ilmenau.de/index.php?action=ondemand > >> > >> I just like to know if that stuff was fixed or if it will get fixed. > > > > There was nothing specific of OpenBSD in the talk. > > > > He briefly mentioned 'OpenBSD, FreeBSD, Linux' being used as > > firewalls, and said something like 'drop all not affecting IPv6'. > > For what I know, pf(4) "block all" rule does block both IPv4 and IPv6 > > traffic, doesn't it? Moreover, in pf(4) the rules by default are > > applicable to both IPv4 and IPv6, unless 'af inet' / 'af inet6' > > modifiers are specifically and _intentionally_ used, or src/dst > > addresses imply the af modifier. > > So pf(4) on *BSD is not vulnerable to the described 'lack of > > attention' firewall vulnerability... OpenBSD seems to have been > > included in the list merely because it goes as a synonym for a > > firewall today. :-) > > > > What exactly do you want to have fixed? > > In his talk he mentioned FreeBSD as one of the OS he tested and freeBSD > use, as far as I know, also KAME. > > In his sliedes you may see (it`s at the movie after 40m19s) that he said > that all OS he tested answered -> > > Fragmentation and followring RA > Responding to packets from multicast adresses > Responding to packets with multicast destination (FreeBSD/Linux, both use > KAME if I`m not wrong)
Just for the record: KAME is *BSD only. Linux has some other IPv6 stack. In the talk, you can see that Linux (not Windows XP SP2, and not FreeBSD) is the most vulnerable, as it blindly replies to the ping that claims to have come from the multicast IPv6-address. Just to quote van Hauser from around 29:45. "Every other operating system said, 'Oh no, I'm not doing that, I'm not dumb'... Well, Linux is sometimes different..." Cheers, Constantine.
