Archive for December, 2007

Win XP: Save/Restore network configuration

Saturday, December 29th, 2007

If you are travelling with your Windows XP based notebook and don’t have DHCP everywhere it would be neat to have a way to save/restore network configuration settings such as IP address, nameservers, ..
Besides some third party tools there is already such a tool built-in: netsh

(more…)

Security implications of listening to IPv6 router advertisements

Saturday, December 29th, 2007

Most current Linux distributions support IPv6 out of the box. What most people don’t seem to notice is the fact that most are actively listening for IPv6 router advertisements, meaning that as soon as they see a router advertisement on the same network segment they will happily start to use an IPv6 address out of the advertised space. This doesn’t really look like a security issue – you don’t use IPv6, right – but when you consider that nearly all daemons nowadays are IPv6-capable while most firewalls are only being configured to block IPv4 packets..
To make a long story short: If you are protecting your host with IPv4 firewall rules don’t forget that you might have a security problem if your system reacts to IPv6 router advertisements. It only needs a single compromised box within the same network segment to fully open up all your IPv6-capable daemons, e.g. sshd.
Ever seen the “eth0: no IPv6 routers present” message in your syslog and wondered what it is? 😉

Quick fix: echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra (or better the appropriate /etc/sysctl.conf entry)

There is even a related IPv6 operations internet draft:
Rogue IPv6 Router Advertisement Problem Statement