[ipv6hackers] IPv6 security presentation at Hack.lu 2011

fred fred at fredbovy.com
Sat Oct 1 07:52:34 CEST 2011


Hi Markus,


Thanks a lot for your detailed response!
It will help me a lot for my job and I am going to include this in my
"Best Practice" recommendations for ISPs.

Have a beautiful day!


Fred Bovy
fred at fredbovy.com
Skype: fredericbovy
Mobile: +33676198206
Twitter: http://twitter.com/#!/FredBovy
Blog: http://fredbovyipv6.blogspot.com/
ccie #3013
 




Le 30/09/2011 11:51, « Markus Reschke » <madires at theca-tabellaria.de> a
écrit :

>On Fri, 30 Sep 2011, fred wrote:
>
>Hi Fred!
>
>> Maybe it is something you can do by setting a variable and building a
>>new
>> kernel in UNIX/Linux ?
>
>For linux just add following to sysctl.conf:
>net.ipv4.conf.default.accept_redirects=0
>net.ipv4.conf.all.accept_redirects=0
>net.ipv6.conf.default.accept_redirects=0
>net.ipv6.conf.all.accept_redirects=0
>
>> I have never in my life found any IT people doing such setting on any
>> Workstation or servers. But it is a long time I am not working with IT
>> people who configure everything...
>
>We (ISP) did it on every router and server (if supported) already in
>the 90s. Also disabled source routing, directed broadcast and so on.
>
>> So I did not know it was something which could be set easily and was
>>done
>> by everybody in the field so it was not an open issue for IPV4!
>
>When the commercial internet lifted off, most ISPs had low speed leased
>lines, especially across the Atlantic. It was easy to utilize the line's
>full capacity by sending an echo request to a broadcast address at one
>side and spoofing the source IP address to be another broadcast address
>at 
>the other side. And inside a LAN such a simple attack could cause also
>havoc. It was essential to apply basic security measures to survive :-)
>
>What really bothers me regarding IPv6 is that there was more than enough
>time for vendors to implement it and for all to assess and fix security
>problems, but we are doing it just now as we are forced to IPv6. Soon
>there will be IPv6-only services and the mass market has to provide IPv6
>too all users. It's going to be a nightmare - unfinished design and
>broken 
>products.
>
>Best regrads,
>  Markus
>-- 
>/ Markus Reschke \ / madires at theca-tabellaria.de \ / FidoNet 2:244/1661 \
>\                / \                             / \                    /
>_______________________________________________
>Ipv6hackers mailing list
>Ipv6hackers at lists.si6networks.com
>http://lists.si6networks.com/listinfo/ipv6hackers





More information about the Ipv6hackers mailing list