On Tue, Apr 29, 2014 at 2:25 PM, Paul de Weerd <we...@weirdnet.nl> wrote: > > > Why oh why can I bring up an interface and have attackers probe me > over IPv6 on a default OpenBSD install while they cannot do so over > IPv4? Why is IPv6 more enabled than IPv4? IPv4 takes configuration > before it will work, IPv6 works without it. I believe that's a > problem that should be fixed before changing other defaults. > > Talk from defcon last year on abusing IPV6:
https://www.defcon.org/images/defcon-21/dc-21-presentations/Alonso/DEFCON-21-Alonso-Fear-the-Evil-FOCA-Updated.pdf Video is up too - Alonso is pretty funny: https://media.defcon.org/DEF%20CON%2021/DEF%20CON%2021%20video%20and%20slides/DEF%20CON%2021%20Hacking%20Conference%20Presentation%20By%20Chema%20Alonso%20-%20Fear%20the%20Evil%20FOCA%20IPv6%20attacks%20-%20Video%20and%20Slides.m4v I agree default should be IPV6 off... On Tue, Apr 29, 2014 at 2:25 PM, Paul de Weerd <we...@weirdnet.nl> wrote: > On Tue, Apr 29, 2014 at 10:52:06AM -0300, Giancarlo Razzolini wrote: > | Em 29-04-2014 04:51, Stuart Henderson escreveu: > | > Too soon I think. Wait a little longer and more major ISPs will turn > | > IPv4 into the second class citizen as they fumble with their cgnat > | > deployments then this will make a lot more sense. Now that akamai have > | > their /10 taking ARIN into the final /8 run-out position that RIPE and > | > APNIC have been in for some time, this will accelerate. > | > | I disable ipv6 across all my linux desktops installations because some > | daemons aren't smart enough to not try it first. Postfix is one that > | comes from the top of my mind. Also, I believe firefox will default to > | ipv6 then ipv4 if you have it enabled. Too soon I think. I'm hoping for > | ipv6 get more traction soon, so we could end using nat on our pf rules. > > Disabling IPv6 should not be necessary: it shouldn't be enabled by > default, even link-local addresses. > > Why oh why can I bring up an interface and have attackers probe me > over IPv6 on a default OpenBSD install while they cannot do so over > IPv4? Why is IPv6 more enabled than IPv4? IPv4 takes configuration > before it will work, IPv6 works without it. I believe that's a > problem that should be fixed before changing other defaults. > > If I want IPv6 (static / RS / DHCPv6 / whatever), I should configure > my machine with it .. just like with IPv4 (static / DHCP / whatever). > Fuck this bullshit. Please note that this is the protocol where many > a developer will complain about how it's more complex than IPv4. > > Paul 'WEiRD' de Weerd > > PS: I tend to want IPv6 everywhere - I'm just opposing this STUPID > default in OpenBSD. > > -- > >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ > +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] > http://www.weirdnet.nl/ > >
