[ipv6hackers] IPv6 security presentation at Hack.lu 2011
madires at theca-tabellaria.de
Fri Sep 30 11:51:40 CEST 2011
On Fri, 30 Sep 2011, fred wrote:
> Maybe it is something you can do by setting a variable and building a new
> kernel in UNIX/Linux ?
For linux just add following to sysctl.conf:
> I have never in my life found any IT people doing such setting on any
> Workstation or servers. But it is a long time I am not working with IT
> people who configure everything...
We (ISP) did it on every router and server (if supported) already in
the 90s. Also disabled source routing, directed broadcast and so on.
> So I did not know it was something which could be set easily and was done
> by everybody in the field so it was not an open issue for IPV4!
When the commercial internet lifted off, most ISPs had low speed leased
lines, especially across the Atlantic. It was easy to utilize the line's
full capacity by sending an echo request to a broadcast address at one
side and spoofing the source IP address to be another broadcast address at
the other side. And inside a LAN such a simple attack could cause also
havoc. It was essential to apply basic security measures to survive :-)
What really bothers me regarding IPv6 is that there was more than enough
time for vendors to implement it and for all to assess and fix security
problems, but we are doing it just now as we are forced to IPv6. Soon
there will be IPv6-only services and the mass market has to provide IPv6
too all users. It's going to be a nightmare - unfinished design and broken
/ Markus Reschke \ / madires at theca-tabellaria.de \ / FidoNet 2:244/1661 \
\ / \ / \ /
More information about the Ipv6hackers