[ale] IPv6

Michael H. Warfield mhw at wittsend.com
Tue Nov 11 22:30:54 EST 2003 

On Tue, Nov 11, 2003 at 10:36:45AM -0500, Dow Hurst wrote:
> I noticed that an update for WinXP Pro was to enable IPv6 and an IPv6 
> firewall.  I don't know hardly anything about Windows XP so did not 
> apply that update since it said nothing about patching a vulnerability 
> at all.  Nor does it seem to be something that is needed.  Any comments 
> on this?
> Dow

	Windows XP has supported IPv6 from the start.  All you had to
do is run the command "ipv6 install" in a cmd window to fire it up.
It enabled SIT, 6to4, and Toredo (aka Shipworm) in addition to native
IPv6 autoconf.

	As far as the XP update goes...

	Danger, Will Robinson, Danger...

	Apply those updates IMMEDIATELY.  There are several and numerous
worms and bots and spyware and sundry, Microsoft propagated and diseases
propagating over the vulnerabilities fixed by those patches, on the loose
NOW.  FIX NOW!  Nothing to do with IPv6, but FIX NOW!  PATCH NOW!  Today
(second Tuesday of the month) included a few (4) more gotcha's in the MS
camp.  Fix now or you're, as one person remarked to a General in
the Philippines when Mount Pinatubo blew it's stack and told him that "I
hope you have jelly in your pockets, General, because we're about to be...",
toast.  A recent one (today) is prime worm fouder.  The clock is ticking...

> Michael H. Warfield wrote:
> 
> >On Tue, Nov 04, 2003 at 04:54:50AM -0500, Robert L. Harris wrote:
> >
> > 
> >
> >>The biggest problem is enabling ipv6 and not modifying your firewall
> >>rules to cover ipv6 also.  If you duplicate your iptables rules to
> >>another script and in that script modify "iptables" to "ipv6tables" and
> >>remove IPv4 specific host entries you should have almost the same
> >>coverage, you just might need to allow for things such as only allowing
> >>ssh from certain hosts, etc.
> >>   
> >>
> >
> >	You also have to realize that most IPv6 traffic is going to
> >be embedded in SIT (IPv4 protocol 41 aka ipv6 in /etc/protocols and
> >6over4 in the RFCs).  If you don't terminate those tunnels ON your
> >firewall, your IPv4 firewall will only see it as SIT traffic (and not
> >decode or process the encapsulated tcp or udp traffic) and your IPv6
> >firewall will not see it at all (since it's IPv4 traffic and not
> >native IPv6 traffic).  To get your firewall in position to deal with
> >IPv6 traffic, you have to block forwarding of the IPv6 transition
> >tunnels and terminate them ON or in front of your firewall and then
> >route IPv6 native through your firewall.  Fortunately, this isn't
> >difficult.  Unfortunately, the bad guys know that none of this is
> >difficult but that few people know about it or do it.
> >
> > 
> >
> >>Thus spake George Johnson (gljay at earthlink.net):
> >>
> >>   
> >>
> >>>  I was just at the AUUG meeting tonight.  Just how easily is a system
> >>>  running ipv4 hacked by a someone running ipv6?  Does a firewall protect
> >>>  you from it?  Where are some good sites on the subject of hacking with
> >>>  ipv6?
> >>>
> >>>  George Johnson
> >>>     
> >>>
> >>>_______________________________________________
> >>>Ale mailing list
> >>>Ale at ale.org
> >>>http://www.ale.org/mailman/listinfo/ale
> >>>     
> >>>
> >>:wq!
> >>---------------------------------------------------------------------------
> >>Robert L. Harris                     | GPG Key ID: E344DA3B
> >>                                        @ x-hkp://pgp.mit.edu
> >>DISCLAIMER:
> >>     These are MY OPINIONS ALONE.  I speak for no-one else.
> >>
> >>Life is not a destination, it's a journey.
> >> Microsoft produces 15 car pileups on the highway.
> >>   Don't stop traffic to stand and gawk at the tragedy.
> >>   
> >>
> >
> >
> >
> > 
> >
> >>_______________________________________________
> >>Ale mailing list
> >>Ale at ale.org
> >>http://www.ale.org/mailman/listinfo/ale
> >>   
> >>
> >
> >
> > 
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Ale mailing list
> >Ale at ale.org
> >http://www.ale.org/mailman/listinfo/ale
> > 
> >
> 
> -- 
> __________________________________________________________
> Dow Hurst                  Office: 770-499-3428            *
> Systems Support Specialist    Fax: 770-423-6744            *
> 1000 Chastain Rd. Bldg. 12                                 *
> Chemistry Department SC428  Email:   dhurst at kennesaw.edu   *
> Kennesaw State University         Dow.Hurst at mindspring.com *
> Kennesaw, GA 30144                                         *
> ************************************************************
> This message (including any attachments) contains          *
> confidential information intended for a specific individual*
> and purpose, and is protected by law.  If you are not the  *
> intended recipient, you should delete this message and are *
> hereby notified that any disclosure, copying, distribution *
> of this message, or the taking of any action based on it,  *
> is strictly prohibited.                                    *
> ************************************************************
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available

More information about the Ale mailing list