[ipv6hackers] IPv6 security presentation at Hack.lu 2011

[Markus Reschke]

On Fri, 30 Sep 2011, fred wrote:

Hi Fred!

> Maybe it is something you can do by setting a variable and building a new
> kernel in UNIX/Linux ?

For linux just add following to sysctl.conf:
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0

> I have never in my life found any IT people doing such setting on any
> Workstation or servers. But it is a long time I am not working with IT
> people who configure everything...

We (ISP) did it on every router and server (if supported) already in 
the 90s. Also disabled source routing, directed broadcast and so on.

> So I did not know it was something which could be set easily and was done
> by everybody in the field so it was not an open issue for IPV4!

When the commercial internet lifted off, most ISPs had low speed leased 
lines, especially across the Atlantic. It was easy to utilize the line's 
full capacity by sending an echo request to a broadcast address at one 
side and spoofing the source IP address to be another broadcast address at 
the other side. And inside a LAN such a simple attack could cause also 
havoc. It was essential to apply basic security measures to survive :-)

What really bothers me regarding IPv6 is that there was more than enough 
time for vendors to implement it and for all to assess and fix security 
problems, but we are doing it just now as we are forced to IPv6. Soon 
there will be IPv6-only services and the mass market has to provide IPv6 
too all users. It's going to be a nightmare - unfinished design and broken 
products.

Best regrads,
  Markus
-- 
/ Markus Reschke \ / madires at theca-tabellaria.de \ / FidoNet 2:244/1661 \
\                / \                             / \                    /