Re: IPv6 routing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 30/08/10 13:24, Thomas Jacob wrote:

On Mon, 2010-08-30 at 12:10 +0100, Jonathan Tripathy wrote:

On a side note: netfilter currently has arptables to stop arp cache
poisoning. Is there any similar thing for NDP poisoning? I can prevent
the actual flow of non-icmpv6 IP traffic to a host by using ip6tables on
my bridge device (which sits in the middle of all hosts), however this
won't stop DOS attacks..

Neighbour discovery is using link local multicast addresses, so
you only need to be worried about being flooded from your LAN,
same as with arp. If you are worried about it, then I think
ip6tables doesn't do much for you at the moment, I am afraid. IPv6
support is a long way from being up to IPv4 standards in Linux
(and elsewhere). Please let the list know if you find a solution ;)

BTW, I wouldn't accept all icmpv6 packets if you're security
conscious, you really only need the following for basic
IPv6 connectivity:

(Taken from Ubuntu's ufw package)

(linked to INPUT chain)

target     prot opt source               destination
ACCEPT     ipv6-icmp    anywhere             anywhere
ipv6-icmp neighbour-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere
ipv6-icmp neighbour-advertisement
ACCEPT     ipv6-icmp    anywhere             anywhere
ipv6-icmp router-solicitation
ACCEPT     ipv6-icmp    anywhere             anywhere
ipv6-icmp router-advertisement

(and maybe not even the last two, if you are using
static routing).

Hi Thomas,

Thanks for the excellent explanation.
Yes I am worried about by "LAN" being flooded, as my "LAN" actually hosts public (read: "untrusted") VPS for customers.
But ah well. I'm sure netfilter will have ndptables some day. We're only testing IPv6 at the minute anyway. And we've got iptables which will prevent any non-icmp traffic from working, as well as ebtables to prevent MAC spoofing.
That's good to know about the "fine-tuning" of the rules for icmpv6 - the is exactly what I was looking for! 

Cheers

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux