[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Karl Auer kauer at biplane.com.au
Tue Mar 19 06:40:59 CET 2013 

On Tue, 2013-03-19 at 02:22 +0000, Jim Small wrote:
> If you look at 6724, the labels stay the same but the precedence changes.

Yes - I wasn't saying otherwise. Just making the point that some
differences don't matter.
 
> > I don't know, but you can literally just read /etc/gai.conf
> LOL - nothing has changed since the early UNIX days.  I have the
> source code, what else do I want?  :-)

gai.conf is not source code - it is a configuration file, and absolutely
the correct place to look if you want to know how something is
configured, no?

> Thanks - I read it and I have to say that sucks (the situation not
> your blog!).  So there isn't a way to universally modify the prefix
> policies in Linux?  And there's no exposed userland command to set
> precedence?

Why do you say that? If you change precedences in /etc/gai.conf, new
processes will pick up the changes. And if you use the "ip" program to
change labels, they are also used immediately by new processes. Possibly
even by running processes, I haven't checked that. If you use my script,
it is completely seamless. Why not suggest to the maintainers that they
put my script into the distro? There are LOTS of things that are
configured at boot time from config files, I don't see a major problem
with doing that for address selection. The "exposed userland command" is
"vi /etc/gai.conf" :-)

>   Not only does that draw wind deeply but it will make managing Linux
> systems somewhat challenging if you want to comply with 6724.

How so? So it doesn't implement 6724 out of the box - it probably
doesn't do a lot of things you want it to do out of the box, few OSes
do. Good news is that fixing it is nigh-on trivial.

> In Windows both the precedence and label for the prefix policies can
> be viewed/modified using netsh.

Not to be rude, but who cares?

> tried change my prefix policy table to match 6724 and voila - it fixed
> the issue!  So there's got to be a way to do this in Linux.

Well - yes, there is. It has been explained in detail in my blog entry.
It's very simple. Edit a file, run a (very simple) script. I am
seriously starting to fail to understand what you are going on about.

> netsh int ipv6 add prefixpolicy fc00::/8 3 13

If this is so important to you, you have the tools in your hands to make
it so. Write a simple script that uses that syntax,
modifies /etc/gai.conf accordingly, then runs the script from my blog.
You never need think about it again.

> View the prefix policy table:
> netsh int ipv6 show pref

View the Linux policy table (with extensive comments, even):

   less /etc/gai.conf

> Very nice work with what you've discovered and blogged about.  Still
> though, it sounds like there is room for improvement

Yes. My script, or one like it, should be in the distro.

>  - especially since there could be systems with different prefix
> policies and you'll one to have a common set for one management
> domain.

That is a different problem, and one shared with a great many
configurable features.

>   I sure hope that draft to control prefix policies with DHCPv6
> becomes a standard...

Yup, would be nice to have in the enterprise toolbox. It is not as
powerful as /etc/gai.conf though.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://www.biplane.com.au/blog

GPG fingerprint: B862 FB15 FE96 4961 BC62 1A40 6239 1208 9865 5F9A
Old fingerprint: AE1D 4868 6420 AD9A A698 5251 1699 7B78 4EEE 6017

More information about the Ipv6hackers mailing list