[ale] IPv6
Dow Hurst
dhurst at kennesaw.edu
Tue Nov 11 10:40:50 EST 2003
I noticed that an update for WinXP Pro was to enable IPv6 and an IPv6
firewall. I don't know hardly anything about Windows XP so did not
apply that update since it said nothing about patching a vulnerability
at all. Nor does it seem to be something that is needed. Any comments
on this?
Dow
Michael H. Warfield wrote:
>On Tue, Nov 04, 2003 at 04:54:50AM -0500, Robert L. Harris wrote:
>
>
>
>>The biggest problem is enabling ipv6 and not modifying your firewall
>>rules to cover ipv6 also. If you duplicate your iptables rules to
>>another script and in that script modify "iptables" to "ipv6tables" and
>>remove IPv4 specific host entries you should have almost the same
>>coverage, you just might need to allow for things such as only allowing
>>ssh from certain hosts, etc.
>>
>>
>
> You also have to realize that most IPv6 traffic is going to
>be embedded in SIT (IPv4 protocol 41 aka ipv6 in /etc/protocols and
>6over4 in the RFCs). If you don't terminate those tunnels ON your
>firewall, your IPv4 firewall will only see it as SIT traffic (and not
>decode or process the encapsulated tcp or udp traffic) and your IPv6
>firewall will not see it at all (since it's IPv4 traffic and not
>native IPv6 traffic). To get your firewall in position to deal with
>IPv6 traffic, you have to block forwarding of the IPv6 transition
>tunnels and terminate them ON or in front of your firewall and then
>route IPv6 native through your firewall. Fortunately, this isn't
>difficult. Unfortunately, the bad guys know that none of this is
>difficult but that few people know about it or do it.
>
>
>
>>Thus spake George Johnson (gljay at earthlink.net):
>>
>>
>>
>>> I was just at the AUUG meeting tonight. Just how easily is a system
>>> running ipv4 hacked by a someone running ipv6? Does a firewall protect
>>> you from it? Where are some good sites on the subject of hacking with
>>> ipv6?
>>>
>>> George Johnson
>>>
>>>
>>>_______________________________________________
>>>Ale mailing list
>>>Ale at ale.org
>>>http://www.ale.org/mailman/listinfo/ale
>>>
>>>
>>:wq!
>>---------------------------------------------------------------------------
>>Robert L. Harris | GPG Key ID: E344DA3B
>> @ x-hkp://pgp.mit.edu
>>DISCLAIMER:
>> These are MY OPINIONS ALONE. I speak for no-one else.
>>
>>Life is not a destination, it's a journey.
>> Microsoft produces 15 car pileups on the highway.
>> Don't stop traffic to stand and gawk at the tragedy.
>>
>>
>
>
>
>
>
>>_______________________________________________
>>Ale mailing list
>>Ale at ale.org
>>http://www.ale.org/mailman/listinfo/ale
>>
>>
>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>
--
__________________________________________________________
Dow Hurst Office: 770-499-3428 *
Systems Support Specialist Fax: 770-423-6744 *
1000 Chastain Rd. Bldg. 12 *
Chemistry Department SC428 Email: dhurst at kennesaw.edu *
Kennesaw State University Dow.Hurst at mindspring.com *
Kennesaw, GA 30144 *
************************************************************
This message (including any attachments) contains *
confidential information intended for a specific individual*
and purpose, and is protected by law. If you are not the *
intended recipient, you should delete this message and are *
hereby notified that any disclosure, copying, distribution *
of this message, or the taking of any action based on it, *
is strictly prohibited. *
************************************************************
More information about the Ale
mailing list