Date: Tue, 20 Feb 2001 20:01:40 -0800 From: Kris Kennaway <kris@obsecurity.org> To: "Geoffrey T. Falk" <gtf@cirp.org> Cc: security@freebsd.org Subject: Re: IPv6 risk with ssh? Message-ID: <20010220200140.B43056@mollari.cthul.hu> In-Reply-To: <200102210101.SAA38561@h-209-91-79-2.gen.cadvision.com>; from gtf@cirp.org on Tue, Feb 20, 2001 at 06:01:00PM -0700 References: <200102210101.SAA38561@h-209-91-79-2.gen.cadvision.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--CdrF4e02JqNVZeln Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Feb 20, 2001 at 06:01:00PM -0700, Geoffrey T. Falk wrote: > What is tcp46, a hybrid IP4/IP6 protocol? Should I be concerned? Nobody > else has (legitimate) access to this box. Itojun has already explained the first question. As for the second, the only risk is one of access to connect to the SSH port if both of the following are true: a) You are connected to an untrusted IPv6 network (e.g. the IPv6 internet) b) You want to have restrictions on who may connect to your SSH daemon (e.g. using hosts.allow(5), or ipfw(8)), but have neglected to add the corresponding restrictions for IPv6 source hosts. There is no intrinsic risk associated with IPv6 transport of packets - after all, it's just another network protocol. > I'd prefer to disable/block all IPv6 for now if possible. How can > I be assured that this is the case? I am currently running ipfw with > a default deny rule. Remove the relevant options from your kernel config and rebuild. Kris --CdrF4e02JqNVZeln Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6kz2jWry0BWjoQKURAlIlAJ0QReuKBqScMjon0bg+4ZpwriFapACg2uPO QYH3nxFVeOszm4ZztWhVFxg= =l9Br -----END PGP SIGNATURE----- --CdrF4e02JqNVZeln-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010220200140.B43056>