-----Original Message----- From: Robby Workman <ro...@rlworkman.net> To: armedslack <armedslack@lists.armedslack.org> Sent: Thu, Jun 27, 2013 2:05 am Subject: Re: [ARMedslack] IPv6 Default behaviour On Wed, 26 Jun 2013 20:34:39 -0400 (EDT) dowe...@netscape.net wrote: > Has anyone got any idea about how to trun of the default behaviour of > having every interface automatically assigned an IPv6 address when it > comes up? > > So far I've hunted around and around the interwebs, and pushed "0" > into all sorts of files in /proc/sys/net/ipv6/conf/*/* all to no > avail. The moment I bring an interface up an inet6 LLA address is > automatically assigned to it. > > I'm starting to wonder if Linux is an OS I really want to have > anywhere near a computer of mine when it seems the designers of it > decided it'd be a good idea to (by default) automatically open up a > connectable address on every single nertwork interface, of every > single device, without any consideration for whether an interface was > protected or not. > > I mean I've seen many utterly ridiculous decisions in my time in this > industry, but I never thought I'd see one which left nearly every > single linux system (all those where ip6tables hasn't been explicitly > invoked anyway) vulnerable to attack (even if only from another > system on the local network). Utter madness, with seemingly no way to > disable it. > > Any ideas/suggestions welcomed. If they're just link local addresses, they're not connectable at all from outside. Re the decisions, it's not linux - it's how ipv6 works: http://www.openwall.com/presentations/IPv6/ -RW _______________________________________________ ARMedslack mailing list ARMedslack@lists.armedslack.org http://lists.armedslack.org/mailman/listinfo/armedslack Hi Robby, Sorry, I'm not reassured to know that my systems are only being placed at risk by default on the local link. If Microsoft did this with WIndows everyone would point out how stupid they were to automatically make an interface addressable without protecting it behind a firewall. I'm afraid it is linux, it's no different to the linux kernel automatically assigning an IPv4 address to every interface which has a connected cable. It could have been implemented that way, but it wasn't. Thanks Dave
_______________________________________________ ARMedslack mailing list ARMedslack@lists.armedslack.org http://lists.armedslack.org/mailman/listinfo/armedslack
