Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IPv6 Flaw Could Greatly Amplify DDoS Attacks

Zonk posted more than 7 years ago | from the please-avoid-the-obvious-holes dept.

The Internet 258

tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"

cancel ×

258 comments

Sorry! There are no comments related to the filter you selected.

Goatse! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19091811)

Goatse! [goatse.ch]

Goatshe! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19091957)

Goatshe! [goatshe.cx]

Re:Goatshe! (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19092057)

fap, fap, fap

Greedy Estonian teenage overlords! (2, Funny)

alienmole (15522) | more than 7 years ago | (#19091821)

n/t

Re:Greedy Estonian teenage overlords! (4, Funny)

HomelessInLaJolla (1026842) | more than 7 years ago | (#19091843)

I for one welcome our greedy teenage northern European Baltic overlords!

They make awesome glaag.

Re:Greedy Estonian teenage overlords! (1)

mobby_6kl (668092) | more than 7 years ago | (#19092343)

Ah, so now we know it's actually the Russians behind this whole thing again. Oh well, they probably feel threatened by the new western IPv6 ideology, so it's understandable.

Don't confuse Estonians with Russians (4, Informative)

Goonie (8651) | more than 7 years ago | (#19092917)

Estonians don't like Russians very much. They got squished between Hitler and Stalin during WWII, and ended up part of the Soviet Union for 50 years, during which their language was suppressed, hundreds of thousands of Russians were brought in, and ran the place with their typical environmental consciousness and regard for the local ways (none at all, in other words). So mistaking Estonians for Russians isn't likely to be particularly popular with Estonians.

In any case, Estonia writes with Latin characters and the language is more like Finnish than anything else, apparently.

Re:Greedy Estonian teenage overlords! (0)

Anonymous Coward | more than 7 years ago | (#19092365)

Imagine what a Latvian with the same $300 could do!

Re:Greedy Estonian teenage overlords! (1, Funny)

Torvaun (1040898) | more than 7 years ago | (#19092801)

Or a Bratislavian.

"A nickle! Now I'll start my own hotel chain!"

Whew! (1)

Billy the Impaler (886238) | more than 7 years ago | (#19092601)

It's a good thing that nobody is using IPv6. Otherwise we might have to worry about this exploit! ;)

s anybody surprised that Paul Vixie (5, Funny)

Anonymous Coward | more than 7 years ago | (#19091829)

was involved? If it weren't for those guys at sendmail, he'd be the number one source of Unix(tm) root exploits.

$300 Linux box... as if (5, Funny)

Ice Wewe (936718) | more than 7 years ago | (#19091853)

Please, if he were really that smart, he'd use an OLPC!

Estonia? (5, Funny)

Anonymous Coward | more than 7 years ago | (#19091871)

Clearly the problem here lies with Estonia, not IPv6.

Re:Estonia? (1)

McGiraf (196030) | more than 7 years ago | (#19091891)

no, with Linux, and Estonians who have more money than they should... :P

NOT COOL. (5, Funny)

game kid (805301) | more than 7 years ago | (#19091903)

Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'

That roughly translates to "It's so easy, an Estonian can do it".

Someone is gonna be buying them roast duck (with the mango salsa) soon.

Re:NOT COOL. (2, Insightful)

Jarjarthejedi (996957) | more than 7 years ago | (#19092063)

He forgot Estonia!...wait, no he didn't...okay then...

Seriously though, estonia? Raise your hand if you know where that is. The only reason I ever recognize that is because I just finished a European History class where we had to memorize the current map of Europe, I'm sure if you asked me last year (or next year :P) I wouldn't know. Why not say just greedy teenager with a $300 Linux machine or, better yet, Greedy Nigerian Royalty with a $300 Linux machine.

And why a $300 machine? If it can be done with Linux couldn't a greedy Estonian purchase some really cheap parts and build a $100 machine then install Linux on it? Or do all computers in Estonia cost $300 min?

Re:NOT COOL. (2)

Tancred (3904) | more than 7 years ago | (#19092173)

Seriously...some of us have been to Estonia. Get out and see the world sometime! Food was cheap there, but I don't know about computer costs. Tallinn is a modern city and I hear the tech sector is quite advanced. Not sure if Paul's got some connection to Estonia or he just meant some place that might lack the criminal investigation resources to follow up on that sort of thing.

Re:NOT COOL. (4, Informative)

Echnin (607099) | more than 7 years ago | (#19092621)

I was there for a couple of days in June last year. I was surprised to see that Linux is actually quite popular; they were selling Linux machines in the mall. The people were also very nice, and I enjoyed myself there. A half-litre of Staropramen was about an euro fifty, which added to the enjoyment. We were staying in a school there, and they had a very well-maintained computer lab (the machines weren't the fastest in the world admittedly, but more than adequate) which dual-booted XP and... I think Fedora or something. Now, Estonia is geographically a Baltic state, but culturally and linguistically they are very close to Finland, a Nordic state which as I expect most of you would know is the home of Linus Torvalds. Perhaps they feel a connection to Linus? Any Estonians here who want to shed some light on this?

Re:NOT COOL. (5, Funny)

Professor_UNIX (867045) | more than 7 years ago | (#19092271)

Seriously though, estonia? Raise your hand if you know where that is.
Maybe he meant to say Elbonia.

Re:NOT COOL. (-1, Flamebait)

QuickFox (311231) | more than 7 years ago | (#19092341)

Seriously though, estonia? Raise your hand if you know where that is.
Spoken like a true American.

There's a world out there! Get to know it!

Sheesh, these Americans want to set everything right with their useless wars, yet they don't have the first clue about the world they want to set right. If only they knew! *Sigh!*

Re:NOT COOL. (3, Insightful)

ObjetDart (700355) | more than 7 years ago | (#19092395)

I'm an American.

I know where Estonia is.

I, like a significant percentage of my fellow citizens, do not support Bush, his administration, nor the neo-con obsession with war-as-a-solution-to-everything.

You sound like a bigot and I resent your smug stereotyping of Americans.

Re:NOT COOL. (5, Funny)

dch24 (904899) | more than 7 years ago | (#19092467)

I'm an American.

I know where Estonia is. You insensitive clod.
There. Fixed that for ya.

Re:NOT COOL. (3, Insightful)

QuickFox (311231) | more than 7 years ago | (#19092527)

You're right. I'm sorry. Sometimes frustration makes me overreact. My reaction was stupid. It's not the American people I'm frustrated with, it's the Bush administration. It does irk me that the American people re-elected such a destructive administration, but they were swayed by very skillful propaganda. It's no excuse for my stupidly generalizing outburst.

You're right. I'm sorry.

leaders (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19092707)

It should be obvious, there was a coup d'etat, cemented the day that the 9-11 attacks were allowed to go down, the vote was hacked, repeatedly hacked with blackbox voting, and the mass media is run by globalist fascists, so they slant the news accordingly-leading to a lot of big lies and propaganda indoctrination, conditioning the people as it is. This is a dictatorship now,morphing away from a representative republic, and tis move is fully supported by the largest businesses, we are now a corporatacracy. Want to see some more recent evidence? The latest republican debate, Ron Paul obviously won it, yet you'd be hard pressed to find any mention of it at all in the popular MSM, and what there is of it claims one of the CFR hand picked puppet tools won the debate.

Bigtime TV wrestling is more real than the official political system in the US now. The system is for show business purposes only, something to keep the rabble amused and thinking they have any say whatsoever in what happens with their nation. Part of the old tried and true "bread and circuses" dodge that tyrannies always use to control their peon slaves.

There's a real funny one making the headlines now. The veep is claiming that he will never allow a nuclear armed iran to dominate the middle east. What is the US? A nuclear armed force that now dominates the middle east. pot-kettle-black

Re:NOT COOL. (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19092425)

oh and I suppose you know where ever little country is? seriously, gtfo dickforce

Re:NOT COOL. (4, Insightful)

hardburn (141468) | more than 7 years ago | (#19092533)

Quick! Find Liechtenstein on a map. How about San Marino? No cheating with Google Maps.

There are a lot of countries and even more cultures within countries. Nobody can be expected to know all of them. While many Americans should be ashamed of not being able to find Iraq on a map, plenty of other countries play a much smaller role in world politics and nobody should blame anyone for not knowing about them.

Re:NOT COOL. (0, Troll)

Ungrounded Lightning (62228) | more than 7 years ago | (#19092661)

Spoken like a true American.

There's a world out there! Get to know it!


Well, Mr Globalist Hotshot:

Do you know where, say, the Yakima reservation is? Or the Washoe? Or the Blackfoot? Or the Navajo? Or any of more than a couple hundred others, owned and occupied by a nearly-as-large number of recognized tribes? (And that's just within the lower 48 states...)

Those tribes are all sovereign nations, with their own laws, and (depending on treaty terms) usually with their own law enforcement and sometimes with their own armies. (The Iroquois Confederacy, for instance, separately declared war on Germany during WW I - and jumped right into WW II because they'd never signed a peace treaty to end it.)

Until you are able to recite the names and locations of the North American tribes you have nothing to snoot about when some Americans don't concern themselves with the names and locations of all of yours.

Then only reason many of yours rate as "important" to us is your multi-century track record of getting into tribal warfare and then sucking us in to bail you out. You've been making such wars for millennia. Much of the current population of the US are descendants of people who came here to get AWAY from all that - and figure out how to live together in peace without tyrannical rulers and enforced, draconian, social homogenization.

Re:NOT COOL. (1)

QuickFox (311231) | more than 7 years ago | (#19092799)

You're right. Sorry. [slashdot.org]

Re:NOT COOL. (1)

MrNonchalant (767683) | more than 7 years ago | (#19092379)

Someone is gonna be buying them roast duck (with the mango salsa) soon.
Either that or he can expect his server infrastructure to be down right quick.

Re:NOT COOL. (1)

Opportunist (166417) | more than 7 years ago | (#19092671)

Don't dis the Estonians! They write mighty good trojans.

Re:NOT COOL. (1)

bendodge (998616) | more than 7 years ago | (#19092803)

He said that because Estonia has 100Mbs internet connections.

Better idea (4, Interesting)

Watson Ladd (955755) | more than 7 years ago | (#19091921)

Don't route stuff stupidly. Instead of banning RH0, make sure it doesn't do redundant routes.

Re:Better idea (4, Informative)

Tuoqui (1091447) | more than 7 years ago | (#19092037)

I think the idea of RH0 is the fact that you can specify an exceptionally long route rather than using the shortest possible route to your path.

Imagine a network of 9 computers in a mesh topology. Now imagine instead of taking at most 4 hops to get to your destination you can specify it to go through every single computer on the network for a maximum of 9-10 hops. Because all of this traffic passes through each computer in the network you have amplified the power of your DoS attack by a factor of 2-3x because you are increasing the network congestion as well as potential collisions and everything else.

Now imagine the internet. I can believe it would amplify the power of DoS attacks by 80x or more if this were permitted. The fact remains is that a good network administrator will let the routers know the best routes. Why specify the route with RH0 when the routers are already built to know the best possible route (through protocols like OSPF and BGP you can even have the routers let each other know about potential problems in the network).

Re:Better idea (4, Informative)

Breakfast Pants (323698) | more than 7 years ago | (#19092453)

From TFS, Originally envisioned as a way to let mobile users to retain a single IP for their devices...

Re:Better idea (2)

techno-vampire (666512) | more than 7 years ago | (#19092039)

I think it's safe to say that in the usual Slashdot tradition, you didn't bother to RTFM before spouting off. The flaw has nothing to do with people accidentally specifying stupid routes, it's h4x0rs using stupid routes to DDOS one or more machines on the route as well as whatever machine they're addressing.

Re:Better idea (0)

Anonymous Coward | more than 7 years ago | (#19092219)

For Watson Ladd, this is actually par for the course. See http://it.slashdot.org/comments.pl?sid=189416&cid= 15596425 [slashdot.org] for another example!

Re:Better idea (2, Insightful)

Watson Ladd (955755) | more than 7 years ago | (#19092639)

I did RTFM. What I meant is that each router along the path should check to make sure the route specified is not stupid, that is having the same IP address twice. If it does they should fix it.

Even better idea (2, Interesting)

jd (1658) | more than 7 years ago | (#19092265)

Originally, IPv6 handled mobile IP by migrating the routing information up through the routers, and by using transitional IP addressing. You kept the same suffix, not the same address, as you moved from network to network. But for some certain length of time, you had both the old address and the new one. This allowed for a totally clean transition and has the same observable effect as source-based routing, but is not subject to this DDoS attack strategy.

IIRC, the main reason the transitional scheme was dropped was because routers would need to track more states. Like they're not going to be tracking gigantic numbers of states in order to have a workable authenticated source-routing system.

However, there is one good thing about this. People might finally realize IPv6 is NOT an addressing scheme, it is a very powerful protocol. (Would you believe I had to correct a senior network engineer on that yesterday?)

Re:Better idea (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#19092653)

Not enough.

Let's say that routers search out and destroy "ping pong" routes, in their copious free time.

Malicious traffic could still route itself through every IP in your load balancing farm, so a DDoS could hit you N times with one packet. If you detect that, it could still route itself through all 13 DNS root server addresses.

I wonder how this decision got made. "Source routing" should have said "security issue" to everybody on the committee.

Re:Better idea (1)

QuickFox (311231) | more than 7 years ago | (#19092943)

"Source routing" should have said "security issue" to everybody on the committee.
Indeed it should — but there's a much greater mystery here. IPv6 has been publicly known for ages. A huge number of people have known it. How come nobody has noticed this problem until now?

I'm not sure it's right to blame the committee when such a huge number of other people have missed it.

Why? (0)

Anonymous Coward | more than 7 years ago | (#19091927)

Why does the teenager have to be Estonian?

Could he be Nigerian? Please? With spam?

Or ROC, maybe. (Russian Organized Crime, not Republic of China.)

Really, why do people say such stupid things? (0)

Anonymous Coward | more than 7 years ago | (#19091929)

It can be exploited by any greedy Estonian teenager with a $300 Linux machine.

While that seems like a pretty narrow demographic, he forgot to mention that they also have to have a tattoo of a monkey on their arm, wear an eye-patch, speak Danish with a stutter when eating pickled herring, listen to Zulu chants on a purple Zune all day long and snort with a whistle when they 'laugh'.

Re:Really, why do people say such stupid things? (1)

Drooling Iguana (61479) | more than 7 years ago | (#19091989)

Well that covers a lot more people, then.

Re:Really, why do people say such stupid things? (1)

BluBrick (1924) | more than 7 years ago | (#19092081)

Hei! That's not a monkey on my arm, it's a chimpanzee!

Re:Really, why do people say such stupid things? (1)

QuickFox (311231) | more than 7 years ago | (#19092143)

You forgot his purple t-shirt with a picture of a tiger in yellow and green attacking a mouse. How could you forget the t-shirt? Especially that t-shirt!

Hey! (0)

Anonymous Coward | more than 7 years ago | (#19092181)

While that seems like a pretty narrow demographic, he forgot to mention that they also have to have a tattoo of a monkey on their arm, wear an eye-patch, speak Danish with a stutter when eating pickled herring, listen to Zulu chants on a purple Zune all day long and snort with a whistle when they 'laugh'.


Hey! I'm a greedy Estonian teenager with a $300 Linux machine who has a tattoo of a monkey on my arm, wears an eye-patch, speaks Danish with a stutter when eating pickled herring, listens to Zulu chants on a purple Zune all day long and snorts without a whistle when I 'laugh', you insensitive clod!

A better idea. (4, Funny)

mustafap (452510) | more than 7 years ago | (#19091945)

Leave it in, but advise people to disable it for network security.

That already works for other problems, right?

Re:A better idea. (3, Interesting)

Anonymous Coward | more than 7 years ago | (#19092067)

The problem is that it's a mandatory part of the spec. BTW, Microsoft is not affected: The Windows IPv6 stack doesn't implement that feature. (It is the equivalent to source routing in IPv4, which is not allowed anywhere.)

Just what we need! (0, Flamebait)

Threni (635302) | more than 7 years ago | (#19091961)

Another fat racist computer nerd!

Re:Just what we need! (3, Funny)

McGiraf (196030) | more than 7 years ago | (#19091995)

hey! It's not nice to call people nerds.

Sorry you lose (0)

Anonymous Coward | more than 7 years ago | (#19092567)

Why don't you go and visit Estonia first before spewing garbage like that? Estonians are extremely slim and fit.

In fact I would bet almost anything that the only fat people you see on the street in Tallinn are either Russians or American tourists.

Re:Sorry you lose (1)

Thexare Blademoon (1010891) | more than 7 years ago | (#19092745)

Perhaps you should explain to him what Tallinn is before he tries ordering one at a restaurant.

Re:Just what we need! (1)

blacklint (985235) | more than 7 years ago | (#19093001)

I don't know how you still have a positive score for that comment. Have you ever met Paul Vixie? I have. He's a great man with a good sense of humor (see http://en.wikiquote.org/wiki/Paul_Vixie [wikiquote.org] ). Now can we just take this quote to mean that exploiting this part of the IPv6 specification has an extremely low barrier to entry as it was intended and move along?

Insensitive Clod (5, Funny)

Anonymous Coward | more than 7 years ago | (#19091991)

Where can I get one of these $300 Estonian Linux machines? To heck with Dellbuntu.

Paul Vixie, president of the Internet (0)

Anonymous Coward | more than 7 years ago | (#19092031)

talking about bad line breaks

Linux (0)

Anonymous Coward | more than 7 years ago | (#19092061)

It can be exploited by any greedy Estonian teenager with a $300 Linux machine.

See? I told you linux was the best.

Re:Linux (0)

Anonymous Coward | more than 7 years ago | (#19092187)

Windows lets you write raw packets as well. It's actually easier than doing it in linux, but of course linux generally comes with gcc as well.

Who gives a $%##? (3, Insightful)

toadlife (301863) | more than 7 years ago | (#19092135)

Why you say?

Because IPv6 will never be implemented widely anyway.

Why will it not you say?

Because too many people are happy with the current IPv4 + NAT insanity that is in place now. Nevermind the fact that the insanely ridiculous kludge that is NAT and all of the insanely ridiculous mini-kludges (DynDNS, UDP Connection "Warming", etc.) that currently keep the internet glued together and working (sort of) like it is supposed to work probably cost as much or more time and energy that a multi-year dual-stack IPv4 to IPv6 transition would.

Ok, I'm done ranting.

Have a great weekend everyone! :)

Re:Who gives a $%##? (2, Insightful)

guruevi (827432) | more than 7 years ago | (#19092267)

Hmm, just like people wouldn't switch from Coax to 8-wire UTP because Coax was more robust? Or people that wouldn't switch from Token Ring to Ethernet because Token Ring was better? Or people that wouldn't ever need the Internet? Or 640k is enough for anyone? Or "I'll never need/use a cell phone"? Or nobody will ever drop Netware...

An article that discusses the actual vulnerability (4, Informative)

slashdotmsiriv (922939) | more than 7 years ago | (#19092309)

MOD Parent UP (+1: Informative) (0)

Anonymous Coward | more than 7 years ago | (#19092695)

The parent is quite an informative link, and as an additional positive, it's not on El Reg. ;)

Re:Who gives a $%##? (3, Insightful)

kestasjk (933987) | more than 7 years ago | (#19092313)

I predict mobile carriers and devices will use it for VoIP, where it's a necessity, everyone else will follow.

Re:Who gives a $%##? (2, Insightful)

Blondito (102273) | more than 7 years ago | (#19092355)

Why ? Why is it a necessity ? Do you really think having publicly addressed cell phones and voip handsets in their millions on the internet is going to a be a good thing ? NAT might not be the prettiest idea around but it has advantages beyond just expanding the available ip address space, and the biggest advantage is security. Wouldn't it be great if I constantly had to patch my cell phone software because of venerability's.

Re:Who gives a $%##? (3, Insightful)

toadlife (301863) | more than 7 years ago | (#19092403)

NAT is *not* a security mechanism.

Th "security" of NAT is a side effect of it BREAKING the peer to peer model of the internet.

Re:Who gives a $%##? (2, Funny)

McGiraf (196030) | more than 7 years ago | (#19092457)

"constantly had to patch my cell phone software because of venerability's."

When a piece of software is old enough to be called venerable, it's surely more than time to patch it!

Re:Who gives a $%##? (1)

maxume (22995) | more than 7 years ago | (#19092515)

There has to be a joke about venerability, but I sure can't find it. I mean, I don't exactly revere my oldest gadgets.

Re:Who gives a $%##? (1)

alphamugwump (918799) | more than 7 years ago | (#19092335)

There's 6 billion people on earth, and 4 billion possible IP addresses (less, actually). Sooner or later, something is going to fail hard. At that point, they won't have a choice.

Re:Who gives a $%##? (5, Interesting)

Organic Brain Damage (863655) | more than 7 years ago | (#19092377)

Nevermind the fact that the insanely ridiculous kludge...

Check our DNA. We are, essentially, insanely ridiculous kludges. Nothing but organically accreted fixes to a long series of problems. Why should anyone be surprised that our technology mirrors this fundamental aspect of our selves?

The Japanese? (4, Insightful)

jd (1658) | more than 7 years ago | (#19092391)

They already deploy IPv6 nationally. Just because the US domestic market is more sluggish than a salted slug, it would be wrong to assume everyone else is as bad.

What's more, IPv4+NAT (as standard) doesn't give you half the features of IPv6. I've listed them before, I'll list them again here. Sure, not many use them NOW, but most of these are major areas of growth and Internet-aware devices will (sooner or later) have to use IPv6 to get the support they need.

  • IPSec
  • Anycasting
  • Multicasting the ISPs can't turn off
  • Mobile IP
  • Mobile Networks
  • Extensible Headers
  • Router Discovery
  • Automatic Configuration
  • Per-destination MTU optimization

There are probably a whole bunch of other advantages not listed here. Go to your local USAGI dealership and test drive an IPv6 today.

Re:The Japanese? (1)

markov_chain (202465) | more than 7 years ago | (#19092647)

To play devil's advocate, none of these features will make any difference to me, and they will make IP addresses so much harder to type.

Re:The Japanese? (1)

Joseph_Daniel_Zukige (807773) | more than 7 years ago | (#19092987)

I wish someone would tell my ISP that they've already got IPv6 running.

Re:Who gives a $%##? (1)

MichaelSmith (789609) | more than 7 years ago | (#19092461)

Because too many people are happy with the current IPv4 + NAT insanity that is in place now

NAT is great for real world politics. I have some small networks which need to be set up in a certain way, and connected to the company LAN for the time being. But I don't want to have to redesign them to suit the current fashion in office networks so I just say to the network nazis that this network is really one box and you don't have to know what is behind the box. Its easier that way, believe me.

Same with my home system. My cable provider sees a box running netbsd current, nothing else.

Re:Who gives a $%##? (1)

jlarocco (851450) | more than 7 years ago | (#19092711)

NAT is great for real world politics. I have some small networks which need to be set up in a certain way, and connected to the company LAN for the time being. But I don't want to have to redesign them to suit the current fashion in office networks so I just say to the network nazis that this network is really one box and you don't have to know what is behind the box. Its easier that way, believe me.

I'm pretty sure you can use NAT and IPv6 at the same time. With IPv4 you're forced to use NAT because there aren't enough addresses to go around. IPv6 provides enough addresses, so you only use NAT if you want to.

I don't. (0)

Anonymous Coward | more than 7 years ago | (#19092599)

Perhaps it's because IPv6 is a poorly designed, insecure solution in search of a problem?

Nice rant though.

Re:I don't. (1)

asdfghjklqwertyuiop (649296) | more than 7 years ago | (#19092899)


What's so insecure about IPv6?

How many people use IPv6 (0)

Anonymous Coward | more than 7 years ago | (#19092157)

Show of hands... do YOU use IPv6?

How widespread is its use anyway?

--
Down with the government.
Up with the people.
http://www.metagovernment.org/ [metagovernment.org]

IPv6 (0)

Anonymous Coward | more than 7 years ago | (#19092235)

IPv6 is dangerous enough as it is .With over one million (or was it trillion) possible addresses
for every freaking inch of the world , spammers and hackers could hide forever.The bed guys could never be
found , never mind what they feel like doing. it's a disaster waiting to happen.What we need is a IPv5.

Re:How many people use IPv6 (0)

Anonymous Coward | more than 7 years ago | (#19092303)

Not a chance. For a LAN of ~200 nodes, I use one public IP.

On the inside, 192.168.x.x provides far more room than I could ever need. Why would I want to complicate things?

Re:How many people use IPv6 (3, Insightful)

jguthrie (57467) | more than 7 years ago | (#19092333)

I've been using IPv6 for nearly a decade, but most of the IPv6 traffic on my LAN is local to the LAN. There are very few interesting places on the Internet that have IPv6 addresses and fewer end users coming from IPv6 capable nodes.

Re:How many people use IPv6 (0)

Anonymous Coward | more than 7 years ago | (#19092923)

And the benefits are?

Why are you running it?

The IETF screwed the pooch on this one (4, Insightful)

possible (123857) | more than 7 years ago | (#19092189)

As I understand it, it is not sufficient to simply ignoring the rthdr0 headers. To protect the infrastructure, the safest thing is for all implementations to immediately DROP any packets containing these headers to keep them from propagating further.

However, there are still people in the IETF who don't want to recognize the severity of their mistake. Why do we, as a community of implementors and consumers, continue to trust these guys as a protocol standards body? It is obvious that they don't understand how complexity is the enemy of security. They add features to protocols without any concrete examples of how the feature would be used, simply because they don't ever want to make a decision. Rather than saying "No, this feature is not worth the extra complexity, we are not going to include it", it is always "OK, we will allow this as an optional mode of operation".

In this case, this was done in a particularly egregious fashion, considering the security issues with source routing have been known since at least '93 or so (in IPv4).

Re:The IETF screwed the pooch on this one (1)

MichaelSmith (789609) | more than 7 years ago | (#19092421)

As I understand it, it is not sufficient to simply ignoring the rthdr0 headers. To protect the infrastructure, the safest thing is for all implementations to immediately DROP any packets containing these headers to keep them from propagating further.

Well OK, but if you are on a closed network you might want to have this kind of control over routing. It should be supported, even if it is disabled on public networks.

Re:The IETF screwed the pooch on this one (4, Insightful)

Trepalium (109107) | more than 7 years ago | (#19092651)

Standards bodies attract certain types of people, and it's no real surprise that the IETF is infested with them now. Read an ITU standard some day if you want to know how bad it can be. There's a reason why we use TCP/IP instead of the OSI protocol, why we use SMTP instead of X.400, LDAP instead of X.500, etc. For a rather depressing story about standards bodies, read the Wikipedia article about ATM [wikipedia.org] about the choice of 48-byte payloads. I seriously doubt the IETF will ever be able to exercise these people from it's midst. Many of them were placed there to represent the interests of a particular corporation. Even if you replace the IETF with another standards organization, these same people would simply be moved into that organization.

What's with all the anti-IPv6 stuff lately? (1)

Ant P. (974313) | more than 7 years ago | (#19092317)

Is something bigger going on that we don't know about? Just wondering.

Re:What's with all the anti-IPv6 stuff lately? (3, Informative)

laffer1 (701823) | more than 7 years ago | (#19092465)

People are actually starting to look at IPv6 security. The recent OpenBSD issues highlighted the problem. OpenBSD, FreeBSD and MidnightBSD should all be patched for this issue. OpenBSD chose to turn it off completely for now. There is some talk about adding support to PF for blocking specific traffic. FreeBSD and MidnightBSD both used a patch that adds a new sysctl to disable the feature by default, but still allow it. As I recall, the reason its in the spec to begin with is for research purposes. I don't follow DragonFly or NetBSD enough to know if they've patched yet.

Nothing New (4, Interesting)

jjeffrey (558890) | more than 7 years ago | (#19092323)

How is this different to source routing packets in IPv4? Surely people will just configure firewalls and hosts to drop these packets in exactly the same way as is done for IPv4 now.

Re:Nothing New (1)

Opportunist (166417) | more than 7 years ago | (#19092701)

...or not, just like they don't now.

ISPs will. No doubt about that. Will end users become magically enlightened over night when IPv6 finally hits the masses? I kinda doubt that.

Security Through Poorly Understood New Features (1)

WED Fan (911325) | more than 7 years ago | (#19092337)

Got to love new tech biting you in the butt.

i'm confused (0)

Anonymous Coward | more than 7 years ago | (#19092357)

this post in over an hour old and i haven't seen

1: any jokes about how in solviet russia packets route YOU
2: any assertions that somehow microsoft or the *IAA are to blame
3: ????
4: profit!

seems more a security feature (0)

Anonymous Coward | more than 7 years ago | (#19092367)

note: not a networking guru and didn't even now it was possible to order a route, but if so, think of the possibilities to avoid known bogus "areas" of the web. Badguy's nodes, evil big brother nodes, "great firewall" nodes, etc.

linux could solve this (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19092495)

because open source roxorzz and if your not part of it that menaz j00 r just a windowz astroturfer!!11!!!
 
oh, btw: linux is for fags.

Nice commentary (0)

Anonymous Coward | more than 7 years ago | (#19092511)

it can be exploited by any greedy Estonian teenager
It's always helpful to frame your technical analysis by a racial slur, so that the layman can better relate to it.

$300 Linux machine? (1)

n3v (412497) | more than 7 years ago | (#19092589)

Why can't you do this with a $0 Linux machine?

Act NOW! The world is falling! (1)

Opportunist (166417) | more than 7 years ago | (#19092679)

Oh. No, wait, he said IPv6. Ok, then we got a little time to fix it. Even though it's about due in 2 years to become the next big thing. It has to, it's been due in 2 years for about 10 years now.

DoD Buying Cycle (1)

neiko (846668) | more than 7 years ago | (#19092681)

This is particularly interesting to myself since I'm in the midst of working one of our companies products to be "IPv6 Ready" logo certified and DoD approved for their new buying cycle next year (which I am told all products must be to be on the "list"). I wonder if this will push that deadline back any...

Early IPv6 drafts had limited the Type 0 route len (5, Informative)

Jim Logajan (849124) | more than 7 years ago | (#19092697)

Some history and information:

The earlier drafts of the IPv6 RFCs had limited the Type 0 routing addresses to 23 per extension header. The current limit is theoretically 128, though maximum packet size through any one link will tend to get in the way.

The number of times an IPv6 packet may ping-pong is limited by the Hop Limit field, which is an 8 but unsigned integer (i.e. 255 times).

While it is true that a very permissive router or host may process a packet with more than one Type 0 routing header, RFC 2460 strongly recommends that a router or host only process one such extension header.

One product that has been designed to locate implementation problems with IPv6 stacks (it can't do anything about design flaws!) is the Maxwell product from http://www.iwl.com/ [iwl.com] . Truth in advertising requires that I point out I helped create some of the test cases for that product (however, I am not an employee of IWL or own any equity or options on equity in the company).

Aren't the old excuses still good anymore? (1)

ClosedSource (238333) | more than 7 years ago | (#19092855)

Isn't the conventional wisdom that due to the end-to-end argument, it's OS and application problem by definition?

Re:Aren't the old excuses still good anymore? (1)

Vegeta99 (219501) | more than 7 years ago | (#19092875)

Asking people to "disable by default" seems to be the old excuse.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>