From owner-freebsd-security Tue Feb 20 17:39:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id 43D8637B401 for ; Tue, 20 Feb 2001 17:39:32 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 7754 invoked by alias); 21 Feb 2001 01:37:55 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 21 Feb 2001 01:37:55 -0000 Message-ID: <000d01c09ba7$50558700$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: "Thomas Cannon" , "Geoffrey T. Falk" Cc: References: Subject: Re: IPv6 risk with ssh? Date: Tue, 20 Feb 2001 20:40:47 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org you can also disable ipv6 by specifying in /etc/rc.conf ipv6_enable="NO" iirc ssh's ipv46 is ipv6 translation to ipv4 via the faith device. can someone comment on this? (i could be wrong). aren't we supposed to start switching to IPV6 anyway? personally, I would like to do all my freebsd-to-freebsd ssh'ing via ipv6, but i haven't had time to fool around with registering ipv6 addresses with DNS servers yet (and typing in/memorizing ipv4 IPs is a lot easier than ipv6 IPs :). furthermore, i don't know of any attacks that have used ipv6 protocols since not every router supports it yet. In this case, security through obscurity is ok maybe? ----- Original Message ----- From: "Thomas Cannon" To: "Geoffrey T. Falk" Cc: Sent: Tuesday, February 20, 2001 8:09 PM Subject: Re: IPv6 risk with ssh? > > I'd prefer to disable/block all IPv6 for now if possible. How can > > I be assured that this is the case? I am currently running ipfw with > > a default deny rule. > > As I don't use ipv6 for anything, I like to take it out of my kernel, and > have been doing that by removing the "option INET6" from my kernel config, > and removing the ipv6-specific devices, too. Seems to work, but again, may > not be the best possible way of doing it. > > Cheers, > > Thomas > > Richard Feynman was a hacker; read any of his books. > -Bruce Schneier > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message