Isn't announcing additional non-default routes part of the whole idea of v6? Maybe I'm confusing something here.
-
-
-
It's one feature you may or may not want, but "unauthenticated peer can reconfigure your network interfaces" is generally a security misdesign, and it's certainly not "the whole idea of v6".
-
If you want a tweet-sized version of "the whole idea of IPv6", it's just "4 billion addresses is nowhere near enough". Everything beyond that is basically "hey while we're at it we could add this feature too..."
End of conversation
New conversation -
-
-
The differences in how ipv6 works is not well understood by many, including me. Can you provide a source link for this? This link seems to say the opposite.https://www.tachyondynamics.com/ipv6-security-server-operating-systems/ …
-
Read kernel's Documentation/networking/ip-sysctl.txt. You can turn off accept_ra etc. manually but forwarding fixes all the defaults from what I can tell.
End of conversation
New conversation -
-
-
If your box is on a fixed ipv4 network you need to tweak an ipv6 setting?
-
IPv6 has weird autoconfig stuff. Without that setting, a malicious host on the network could pretend to be an autoconfig router and get you an IPv6 network ANYWAYS. So it's perhaps more important there.
-
Is this a bigger exploit than somebody pretending to be a dhcp server?
-
I'm pretty sure it's more-or-less identical, except with the assumption a DHCP server is running, and that it's something you're less likely to expect.
-
Yes, it's equivalent to the issues of a malicious DHCP server. But that only affects you if you're running a DHCP client; OTOH the kernel runs an IPv6 stateless autoconf client unless you explicitly turn it off via the above.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.