On 09/10/2016 10:42 AM, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-10 a las 09:46 -0700, Lew Wolfgang escribió:
I've encountered the situation where misconfigured Windows systems will advertise themselves as an IPv6 router. They then happily accept traffic and drop it all silently on the floor. This problem doesn't seem to bother other Windows boxes too much, but it absolutely kills SSH connections. SSH preferentially tries IPv6 port 22, which when sent to a dumb Windows box results in very long hangups and connection failures.
Configure gai.conf to prefer IPv4 connections :-?
There is a comment in the file that says what to do.
That might be a possibility for accidental misconfigurations. But it doesn't address the overall security of an IPv6-only network that might contain a bad actor or two. "We have a known vulnerability, but it requires a local compromise to be leveraged. We're safe!" What could possibly go wrong? Here's an interesting slide show entitled "IPv6 Attack and Defense Strategies": https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Schaefer-Worksho... I like page 39: "On the local link we're all brothers!" It also says: * Simple Rule: the higher the complexity of a communications act the higher the cost of keeping state of it. * IPv6 has a high degree of complexity... and * We’re very interested to see how vendors of stateful firewalls will handle scenarios like “single infected machine sitting in a broadband /64 and establishing valid connections to web server from many many random source addresses”. BCP 38 won’t solve this. I didn't read the whole thing yet. But it makes me feel MUCH more secure and happy on my simple home natted IPv4-only network. Maybe I should rephrase the question: What has SUSE done to address the known IPv6 security issue described by RFC 6104 and others? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org