--On Thursday, December 13, 2001 09:38:43 PM +0100 Wouter Van Hemel
<[EMAIL PROTECTED]> wrote:
> Hmm... *biting lower lip*... :)
>
> I think many firewall solutions don't have adequate support for
> ipv6 yet, i.e. ofcourse they recognise ipv6 protocols, but don't
> really filter yet because they don't analyse the packets.
Attention here: looks like all IPv4 firewalls only recognize
IPv6-in-IPv4 tunneled packets but not native ones.
Examples: Linux/ipchains or Linux/netfilter4
Native IPv6 packets never reach the IPv4 filter code.
Interesting: This was also seen last week on a commercial (not Linux
filtering code using) firewall (latest release, but cannot publish
name here) on Red Hat Linux 7.2 with kernel 2.4.9-13:
IPv4 can be blocked completly, IPv6 isn't blocked at all (tested with
a ssh daemon listening on "::").
This is at the moment imho a big link-local security hole if IPv6 is
automagically enabled but not configured, because it's easy to detect
a MAC address of a firewall's interface and calculate the EUI-64
identifier. Afterwards a bad-guy start a radvd on the link and
possible (if not switched off on FW), the FW's interface learn the
prefix.
Bad-guy can now run an IPv6 portscan on FW's interface.
This is perhaps not only an issue on Linux systems with IPv6 support,
newer AIX systems have also IPv6 enabled out of the box.
But not an issue for Solaris 8 because if the FW is running, IPv6
cannot be enabled (tested with previous version of commercial FW).
Solution: disable IPv6 on IPv4 only filter code firewalls and switch
off accept of RA's.
(Linux: /proc/sys/net/ipv6/conf/*/accept_ra = 0)
BTW: Pls. don't ask for the name of the commercial FW...
Peter
---------------------------------------------------------------------
The IPv6 Users Mailing List
Unsubscribe by sending "unsubscribe users" to [EMAIL PROTECTED]
