[Tails-dev] IPv6 (Was: firewall rules)

Delete this message

Reply to this message
Author: Kill Your TV
Date:  
To: tails-dev
New-Topics: Re: [Tails-dev] IPv6
Subject: [Tails-dev] IPv6 (Was: firewall rules)
On Thu, 24 Jul 2014 21:14:48 +0000 (UTC)
intrigeri <intrigeri@???> wrote:

> Hi,
>
> (happy to see someone look at these rules in details, and question
> part of it!)
>
> Jacob Appelbaum wrote (24 Jul 2014 01:28:54 GMT) :
> > When would we ever have a RELATED or ESTABLISHED ipv6 connection
> > when everything is dropped?


Would it make sense to have IPv6 disabled by default in the kernel, such
as with `ipv6.disabled=1` at the syslinux prompt? Or disabling it with
sysctl? If nothing else it might fix those problems seen with mac
address spoofing like one can see with VirtualBox and bridged adapters
(not tested), such as

Jul 30 21:48:28 localhost kernel: [ 450.104114] Dropped outbound
packet: IN= OUT=eth0 SRC=0000:0000:0000:0000:0000:0000:0000:0000
DST=ff02:0000:0000:0000:0000:0001:ff01:cb07 LEN=64 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0 Jul 30 21:48:29 localhost
kernel: [ 450.492124] Dropped outbound packet: IN= OUT=eth0
SRC=0000:0000:0000:0000:0000:0000:0000:0000
DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1
FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 Jul 30 21:48:29 localhost
kernel: [ 451.104170] Dropped outbound packet: IN= OUT=eth0
SRC=fe80:0000:0000:0000:0a00:27ff:fe01:cb07
DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1
FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 Jul 30 21:48:29 localhost
kernel: [ 451.104188] Dropped outbound packet: IN= OUT=eth0
SRC=fe80:0000:0000:0000:0a00:27ff:fe01:cb07
DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 Jul 30 21:48:30 localhost
kernel: [ 451.572090] Dropped outbound packet: IN= OUT=eth0
SRC=fe80:0000:0000:0000:0a00:27ff:fe01:cb07
DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=76 TC=0 HOPLIMIT=1
FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 Jul 30 21:48:33 localhost
kernel: [ 455.112102] Dropped outbound packet: IN= OUT=eth0
SRC=fe80:0000:0000:0000:0a00:27ff:fe01:cb07
DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 Jul 30 21:48:35 localhost
dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67 Jul 30
21:48:37 localhost kernel: [ 459.122031] Dropped outbound packet: IN=
OUT=eth0 SRC=fe80:0000:0000:0000:0a00:27ff:fe01:cb07
DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255
FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0

If it might be worthwhile, I can take a stab at it after the I2P things
are better taken care of. (Of course the existing firewall rules would
have to be modified to make the IPv6 rules conditional upon whether
IPv6 is enabled or not; otherwise *none* of the firewall rules get
applied if the IPv6 rules fail due to missing IPv6 support in the
kernel)

I just ask because at this point IPv6 clearly can't work for anyone
without modifications to the existing rules, so maybe remove IPv6 until
it's ready to be used?