Category Archives: Tutoriale Linux
Tails 3 Offers Easy Anonymity for All | Linux.com
If you’re seriously concerned about privacy, you want to ensure you’re doing all the right things and not leaving behind a trace of what you’ve browsed. There are many reasons for this—some good, some bad. I’d like to focus on the good (naturally). In the past few years, it has become clear that tracking web histories is not a myth. Businesses, governments—anyone with the skills can make use of your browsing history. That is the very reason why technology like Tor has recently gained popularity.
Users want to reclaim their anonymity.
That is where the likes of Tails comes in. Tails lays claim to “Privacy for anyone” and they make good on that claim with tools like:
-
Tor — Tails relies on the Tor anonymity network
-
Tor Browser — A browser that works seamlessly with Tor
-
Onion Circuits — A tool that lists the circuits used by Tor
-
OnionShare — Anonymously share files
By using all of the above, on top of a live-only distribution, Tails makes for a very anonymous experience. And because it all works together seamlessly, you don’t have to worry about certain dependent components (e.g., starting Tor before using Tor Browser). In fact, you can fire up Tails, open up Tor Browser and immediately go to the Tor Check site and see that your Tails instance is, in fact, configured to use Tor.
This is privacy at it simplest—with a slight catch.
But wait; what exactly is Tails?
As I mentioned earlier, Tails is a live Linux distribution. What does that mean? It means you don’t install the operating system, you run it on a per-instance basis, use it for as long as you need, and shut it down when you’re done. If you want to use Tails, you burn the ISO (you must use either Firefox or Tor Browser, to download the ISO) onto a USB drive, stick the USB drive into your machine, and boot. Enjoy the privacy of Tails and then, when you’re done, reboot the computer (removing the USB drive). Everything you did within Tails is gone; you have left absolutely no trace. And, if you work with the likes of VirtualBox, you can create a virtual machine with the ISO and have Tails at the ready any time (just remember to shut it down and not save the VM in its running state).
And so, for anyone that is looking to gain as much privacy as they can, Tails is one of the easiest solutions.
What’s new in Tails 3?
Startup and shutdown
Tails 3 brings about some significant changes to the platform. First and foremost, there’s a brand new startup and shutdown experience. When you boot Tails 3, the first thing you will see is the Tails Greeter (Figure 1). In this screen, you can select your Language, Keyboard Layout, and Date/Time formats.
Click on Additional settings and you can configure an administrator password (which is off by default), MAC address spoofing (on by default), and Network Connection (direct by default). Once you’ve configured Tails how you want it, click the Start Tails button and the default desktop will appear (Figure 2).
The improved desktop
The desktop is based on GNOME (with a slight tweak or two, by way of extensions) and is quite user-friendly. One of the first things previous users will note is that Tails has opted to go to the dark side, using the darker GNOME theme as the default. Speaking of the desktop, the Tails file manager (GNOME Files) finally includes the built-in ability to compress and extract as well the ability to rename multiple files at the same time. Add to that, Tails makes it easy (by way of GNOME Files) to encrypt, sign, wipe, and share (via OnionShare) files, through a right-click context menu (Figure 3).
No more 32-bit support
That’s right, Tails has opted to leave behind the aging 32-bit hardware support. This was a tough decision on their part, but it was the right move, as there is more security to be found within the 64-bit architecture.
Software updates
A number of the software packages have enjoyed updates. Once you boot up Tails, you’ll find the following release changes:
-
KeePassX from 0.4.3 to 2.0.3
-
LibreOffice from 4.3.3 to 5.2.6
-
Inkscape from 0.48.5 to 0.92.1
-
Audacity from 2.0.6 to 2.1.2
-
Enigmail from 1.8.2 to 1.9.6
-
MAT from 0.5.2 to 0.6.1
-
Dasher from 4.11 to 5.0
-
git from 2.1.4 to 2.11.0
As you can see, many of those titles are nowhere near bleeding edge; but when you’re using a live distribution, such as Tails, you’re not concerned with having the newest of the new. Even so, just because you’re looking for anonymity, doesn’t mean you don’t need to get things done. Tails has plenty of software to help you do just that. You’ll even find titles such as:
-
GIMP
-
Inkscape
-
Scribus
-
Thunderbird
-
Pidgin
-
Pitivi
-
Sound Recorder
-
And much more
In other words, don’t be fooled by the fact that Tails is a live distribution; this is still Linux, so there’s plenty of software to be had.
To read about all the changes that have been made to Tails, check out their official post here.
Amnesia
One thing you should know about tails is that it defaults to the user, amnesia. This particular user is not a member of sudo, so it is not allowed to execute tasks that require administrative permission. You can get around that during the startup. Click Additional settings at the Tails Greeter and then click Administration password. Type and verify the new administrator password and click Add (Figure 4).
Once you’ve started Tails with an administrator password in place, the amnesia user can then work with tools like sudo. Do note, as soon as you restart Tails, that administrator password is gone and will have to be reset.
Is Tails right for you?
This question is fairly easily answered. Are you looking for the means by which you can browse and work anonymously, knowing once you shut down every trace of what you were doing will vanish? If that’s you, Tails might well be the perfect fit. Give Tails 3 a spin and enjoy anonymity at its simplest.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
Install Freeradius on ubuntu 17.04 Server and manage using daloradius (Freeradius web management application)
Sponsored Link
RADIUS, which stands for “Remote Authentication Dial In User Service”, is a network protocol — a system that defines rules and conventions for communication between network devices — for remote user authentication and accounting. Commonly used by Internet Service Providers (ISPs), cellular network providers, and corporate and educational networks, the RADIUS protocol serves three primary functions:
• Authenticates users or devices before allowing them access to a network
• Authorizes those users or devices for specific network services
• Accounts for and tracks the usage of those services
Freeradius Features
• An open and scalable solution
• Broad support by a large vendor base
• Easy modification
• Separation of security and communication processes
• Adaptable to most security systems
• Workable with any communication device that supports RADIUS client protocol
daloRADIUS is an advanced RADIUS web platform aimed at managing Hotspots and general-purpose ISP deployments. It features rich user management, graphical reporting, accounting, and integrates with GoogleMaps for geo-locating (GIS). daloRADIUS is written in PHP and JavaScript and utilizes a database abstraction layer which means that it supports many database systems, among them the popular MySQL, PostgreSQL, Sqlite, MsSQL, and many others.
It is based on a FreeRADIUS deployment with a database server serving as the backend. Among other features it implements ACLs, GoogleMaps integration for locating hotspots/access points visually and many more features. daloRADIUS is essentially a web application to manage a radius server so theoretically it can manage any radius server but specifically it manages FreeRADIUS and it’s database structure. Since version 0.9-3 daloRADIUS has introduced an application-wide database abstraction layer based on PHP’s PEAR::DB package which support a range of database servers.
Before Installing make sure you have Ubuntu 17.04 LAMP server installed and ready for freeradius.
Preparing your system
Open the terminal and run the following command
sudo apt-get install php-common php-gd php-curl php-mail php-mail-mime php-pear php-db php-mysql
Install freeradius using the following command
sudo apt-get install freeradius freeradius-mysql freeradius-utils
Create Freeradius Database
You can use the following command to create freeradius database
sudo mysql -u root -p
Enter password:
mysql> create database radius;
mysql> grant all on radius.* to radius@localhost identified by “password”;
Query OK, 0 rows affected (0.00 sec)
Insert the freeradius database scheme using the following commands
sudo mysql -u root -p radius
Enter password:
sudo mysql -u root -p radius
Enter password:
Create new user for radius database
sudo mysql -u root -p
mysql> use radius;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> INSERT INTO radcheck (UserName, Attribute, Value) VALUES (‘sqltest’, ‘Password’, ‘testpwd’);
Query OK, 1 row affected (0.04 sec)
mysql> exit
Bye
Freeradius Configuration
You need to edit /etc/freeradius/sql.conf file
sudo vi /etc/freeradius/sql.conf
Make sure you have the following details
database = mysql
login = radius
password = passwordUncomment the following
readclients = yes
Save and Exit the file
Now you need to edit the /etc/freeradius/sites-enabled/default file
sudo vi /etc/freeradius/sites-enabled/default
Uncomment the sql option in the following sections
accounting
# See “Authorization Queries” in sql.conf
sql
session
# See “Authorization Queries” in sql.conf
sql
Post-Auth-Type
# See “Authorization Queries” in sql.conf
sql
Save and Exit the file
Now edit /etc/freeradius/radiusd.conf file
sudo vi /etc/freeradius/radiusd.conf
#Uncomment the following option
$INCLUDE sql.conf
Save and exit the file
Now you can stop the free radius server using the following command
sudo /etc/init.d/freeradius stop
Run freeradius in debugging mode. If there is no error, you are ready to go.
sudo freeradius -X
Start the freeradius using the following command
sudo /etc/init.d/freeradius start
Test the radius server using the following command
sudo radtest sqltest testpwd localhost 18128 testing123
Ouput as follows
Sending Access-Request of id 68 to 127.0.0.1 port 1812
User-Name = “sqltest”
User-Password = “testpwd”
NAS-IP-Address = 127.0.1.1
NAS-Port = 18128
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=68, length=20
Daloradius Installation
You can download the Daloradius latest version from here
Once you downloaded the daloradius-0.9-9.tar.gz file you need to extract using the following command
$ tar xvfz daloradius-0.9-9.tar.gz
$ mv daloradius-0.9-9 daloradius
$ mv daloradius /var/www/html
Change Permissions
sudo chown www-data:www-data /var/www/html/daloradius -R
sudo chmod 644 /var/www/html/daloradius/library/daloradius.conf.php
Mysql database need to setup for daloradius.We need to do is to import the daloradius scheme into our existing radius database.
$ cd /var/www/html/daloradius/contrib/db
sudo mysql -u root -p radius
configure the following daloradius setting.
sudo vi /var/www/html/daloradius/library/daloradius.conf.php
Change the database password
$configValues[‘CONFIG_DB_PASS’] = ‘password’;
Save and exit the file
Now you need to configure daloradius website under /etc/apache2/sites-available
sudo vi /etc/apache2/sites-available/daloradius.conf
add the following lines
Alias /daloradius “/var/www/html/daloradius/”
<Directory /var/www/html/daloradius/>
Options None
Order allow,deny
allow from all
</Directory>
Save and exit the file
Enable daloradius website using the following command
sudo a2ensite daloradius
Enabling site daloradius.
To activate the new configuration, you need to run:
sudo service apache2 reload
Daloradius Web GUI
you can access daloradius GUI using http://server-ip/daloradius and the login screen as follows
Use the following login details
username: administrator
password: radius
If you are running PHP 7 then you might see the following error
Database connection error
Error Message: DB Error: extension not found
To fix the above error you need to do the following changes Credit goes here
Changing file library/daloradius.conf.php
It’s required to update daloRADIUS’s database connection code so that it identifies the MySQL server using the new and improved mysqli driver:
Open for editing the file library/daloradius.conf.php and locate the configuration variable CONFIG_DB_ENGINE and change it to the value of mysqli (it is now probably set to mysql, notice the extra i). It should end up looking as follows: $configValues[‘CONFIG_DB_ENGINE’] = ‘mysqli’;
Changing file library/opendb.php
Open for editing the file library/opendb.php
At the very end of the file just add this new line of code: $dbSocket->query(“SET GLOBAL sql_mode = “;”); which makes the MySQL version work with less strict SQL syntax
Once you logged in you should see similar to the following screen
Sponsored Link
Related posts
How to Write iptables Rules for IPv6 | Linux.com
We US-ians have been sheltered from the exhaustion of IPv4 addresses, but they have run out. IPv6 networks are up and running, so we have no excuses for not being IPv6 literate. Today our scintillating topic is iptables rules for IPv6, because, I am sad to report, our faithful IPv4 iptables rules do not magically work on IPv6 packets, and we must write new rules.
Before we dive in, you might want to review these previous articles for basic iptables concepts and scripts:
Iptables Commands
iptables should be the same on all Linuxes, as it is part of the kernel, but if your chosen Linux distribution does something weird, it’s not my fault. You should have ip6tables, ip6tables-restore, ip6tables-save, ip6tables-apply, and their corresponding man pages. Some Linux distributions install with a ready-made firewall and their own tools for stopping and starting it. You must decide whether to disable your distro configuration, or modify it if it’s based on iptables.
ip6tables operates the same way as iptables. It even supports NAT, network address translation, although I can’t think of a good use case for NAT in IPv6. NAT does masquerading and port forwarding, which has extended the lifespan of the inadequate IPv4 address pool by making a single public IPv4 address serve many hosts in private address spaces. NAT rewrites the private addresses to the single public address, and keeps track of which packets belong to which private addresses. This isn’t necessary in IPv6 because the pool of available addresses is so large we’ll never run out (at least not in my lifetime).
Block All IPv6
Because IPv4 rules do not affect IPv6 packets, theoretically, we are vulnerable to attacks over IPv6. The Internet of Gratuitously Connected Insecure Things (IoGIT, creatively abbreviated to pronounce as “idjit”) is experiencing denial-of-service and SYN flood attacks over IPv6, though it seems to me the bigger threat is snoopy vendors who suck up and exploit our personal data. Even iRobot is joining this abusive game by collecting and selling maps of our homes, from Roomba models 960 and 980. When you can’t even trust your cute robot vacuum cleaner, they have gone too far.
You might think meh, I don’t even need IPv6, so why not block it completely? You can, though this may cause some problems, but you won’t know until you try. Add these lines to /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
Then load your changes:
$ sudo sysctl -p net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
Test this by pinging the link local address of your computer from a second computer on your LAN:
$ ping6 -c3 -I eth0 fe80::f07:3c7a:6d69:8d11 PING fe80::f07:3c7a:6d69:8d11(fe80::f07:3c7a:6d69:8d11) from fe80::2eef:d5cc:acac:67c wlan0 56 data bytes --- fe80::2eef:d5cc:acac:67c ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2999s
This shows that it is disabled. When you re-enable IPv6, you must renew the DHCP lease on your interface to get an IPv6 address again.
Listing and Flushing Rules
First, see if you already have any rules:
$ sudo ip6tables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
This shows there are no existing rules. If you already have some rules, clear them with this command:
$ sudo ip6tables -F
If you already have active firewall scripts, a reboot restores your rules.
Example Host Rules
This is similar to the host firewall example in Building Linux Firewalls With Good Old Iptables: Part 2. The main difference managing ICMP packets; IPv6 relies a lot more on good ole ping, it is a bad idea to completely block ICMP, even though some howtos recommend this, because it is necessary for proper network operations. In this example all ICMP packets are allowed.
When you’re unsure about protocol names, look in /etc/protocols to find the correct names.
#!/bin/bash # ip6tables single-host firewall script # Define your command variables ipt6="/sbin/ip6tables" # Flush all rules and delete all chains # for a clean startup $ipt6 -F $ipt6 -X # Zero out all counters $ipt6 -Z # Default policies: deny all incoming # Unrestricted outgoing $ipt6 -P INPUT DROP $ipt6 -P FORWARD DROP $ipt6 -P OUTPUT ACCEPT # Must allow loopback interface $ipt6 -A INPUT -i lo -j ACCEPT # Reject connection attempts not initiated from the host $ipt6 -A INPUT -p tcp --syn -j DROP # Allow return connections initiated from the host $ipt6 -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept all ICMP v6 packets $ipt6 -A INPUT -p ipv6-icmp -j ACCEPT # Optional rules to allow other LAN hosts access # to services. Delete $ipt6 -A INPUT -p tcp --syn -j DROP # Allow DHCPv6 from LAN only $ipt6 -A INPUT -m state --state NEW -m udp -p udp -s fe80::/10 --dport 546 -j ACCEPT # Allow connections from SSH clients $ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # Allow HTTP and HTTPS traffic $ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT $ipt6 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT # Allow access to SMTP, POP3, and IMAP $ipt -A INPUT -m state --state NEW -p tcp -m multiport --dport 25,110,143 -j ACCEPT
There isn’t much in the way of updated official documentation that I can find for ip6tables other than man iptables. If you’re using online man pages make sure they are for your version, iptables --version.
In a future installment, we’ll go into detail on managing ICMP packets, controlling which ones have Internet access, which ones should be LAN-only, rate limiting, and other cool fine-tunings. We’ll also make an Internet gateway and look at rules for restricting source and destination addresses in more details.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
Easily Update Ubuntu and Debian Systems with uCareSystem | Linux.com
Updates are something that are often ignored for one reason or another. However, if you’re not making a daily (or at least weekly) habit of updating your systems, then you are doing yourself, your servers, and your company a disservice.
And, even if you are regularly updating your Ubuntu and Debian systems, you may be doing the bare minimum, thereby leaving out some rather important steps.
As with nearly every aspect of Linux, fortunately, there’s an app that does an outstanding job of taking care of those upgrading tasks. A single command will:
-
Update the list of available packages
-
Download and install all available updates for the system
-
Check for and remove any old Linux kernels (retaining the current running kernel and one previous version)
-
Clear the retrieved packages
-
Uninstall obsolete and orphaned packages
-
Delete package settings from previously uninstalled software
That’s a lot of jobs for one command—but ucaresystem-core handles all this with ease. Considering that one command takes the place of at least eight commands, that’s a big time saver.
In fact, here are the commands ucaresystem-core can take care of:
-
apt update
-
apt upgrade
-
apt autoremove
-
apt clean
-
uname -r (do NOT remove this kernel)
-
dpkg –list | grep linux-image
-
sudo apt-get purge linux-image-X.X.X-X-generic (Where X.X.X-X is the kernel to be removed)
-
sudo update-grub2
If you love spending time at a terminal window, that’s great. But if you have a lot of systems to update, you’re probably looking out for something to make your job a bit more efficient. That’s where ucaresystem-core comes in.
I’ve been using ucaresystem-core for more than a year now (with Elementary OS and Ubuntu) and have yet to encounter a single problem. In fact, this particular tool has become one of the first I install on all Ubuntu and Debian systems. I trust it…it works.
So, how can you get this incredibly handy tool? Let’s walk through the process of installing ucaresystem-core, how to use it, and how to automate it.
Installation
The first thing you must do is install ucaresystem-core. We’ll be downloading the .deb file (as the Utappia repository seems to no longer contain a release file). Here’s how:
-
Download the .deb file that matches your operating system release into your ~/Downloads directory
-
Change into the ~/Downloads directory with the command cd ~/Downloads
-
Install the deborphan dependency with the command sudo apt install deborphan
-
Install ucaresystem-core with the command sudo dpkg -i ucaresystem-core*.deb
That’s it for the installation; ucaresystem-core is ready to go.
Running ucaresystem-core
You might have guessed by now that running this all-in-one command is very simple, and you would be correct. To fire up ucaresystem-core, go back to your terminal and issue the command:
sudo ucaresystem-core
This will launch the tool, which will immediately warn you that it will kick off in five seconds (Figure 1).
As the command runs, it requires zero user input, so you can walk away and wait for the process to complete (how long it takes will depend upon how much needs to be updated, how much needs to be removed, the speed of your system, and the speed of your Internet connection).
The one caveat to ucaresystem-core is that it does not warn you should you need to reboot your machine (if a newer kernel be installed). Instead, you have to scroll up to near the beginning of the output to see what has been upgraded (Figure 2).
If you cannot scroll up in your terminal, you can always view the dpkg log found in /var/log/dpkg.log. In this file, you will see everything ucaresystem-core has upgraded (including a handy time-stamp — Figure 3).
How much space did we gain?
Since my Elementary OS is set up such that ucaresystem-core is run as a cron job, I installed a fresh instance on a Ubuntu 17.10 desktop to test how much space would be freed after a single run. This instance was a VirtualBox VM, so space was at a premium. Prior to running the ucaresystem-core command the VM was using 6.8GB out of 12GB. After the run, the VM was using 6.2GB out of 12GB. Although that may not seem like a large amount, when you’re dealing with limited space, every bit counts. Plus, if you consider it went from 37 percent to 34 percent usage, it might seem like a better savings. On top of that, the system is now clean and running the most recent versions of all software…with the help of a single command.
Automating the task
Because ucaresystem-core doesn’t require user input, it is very easy to automate this, with the help of cron. Let’s say you want to run ucaresystem-core every night at midnight. To do this, open a terminal window and issue the command sudo crontab -e. Once you’re in your crontab editor, add the following to the bottom of the file:
0 0 * * * /usr/bin/ucaresystem-core
Save and close the crontab file. The command will now run every night at Midnight. Thanks to the dpkg log file, you can check to see the results.
Should you want to set up ucaresystem-core to run at a different time/day, I suggest using the Crontab Guru to help you know how to enter the time/date for your cron job.
Keep it simple, keep it clean
You will be hard-pressed to find a simpler method to keep your Ubuntu and Debian systems both updated and clean, than with ucaresystem-core. I highly recommend you employ this very handy tool for any system that you want always updated and free of the cruft that can be left behind by such a process.
Of course, if you prefer to do everything by hand, that is an even more reliable method. However, when you don’t always have time for that, there’s always ucaresystem-core.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
Building IPv6 Firewalls: IPv6 Security Myths | Linux.com
We’ve been trundling along nicely in IPv6, and now it is time to keep my promise to teach some iptables rules for IPv6. In this two-part series, we’ll start by examining some common IPv6 security myths. Every time I teach firewalls I have to start with debunking myths because there are a lot of persistent weird ideas about the so-called built-in IPv6 security. In part 2 next week, you will have a nice pile of example rules to use.
Security yeah, no
You might recall the optimistic claims back in the early IPv6 days of all manner of built-in security that would cure the flaws in IPv4, and we would all live happily ever after. As usual, ’tisn’t exactly so. Let’s take a look at a few of these.
IPsec is built-in to IPv6, rather than added on as in IPv4. This is true, but it’s not particularly significant. IPsec, IP Security, is a set of network protocols for encrypting and authenticating network traffic. IPsec operates at the Network layer. Other encryption protocols that we use every day, such as TLS/SSL and SSH, operate higher up in the Transport Layer, and are application-specific.
IPsec operates similarly to TLS/SSL and SSH with encryption key exchanges, authentication headers, payload encryption, and complete packet encryption in encrypted tunnels. It works pretty much the same in IPv6 and IPv4 networks; patching code isn’t like sewing patches on clothing, with visible lumps and seams. IPv6 is approaching 20 years old, so whether certain features are built-in or bolted-on isn’t relevant anyway.
The promise of IPsec is automatic end-to-end security protecting all traffic over an IP network. However, implementing and managing it is so challenging we’re still relying on our old favorites like OpenVPN, which uses TLS/SSL, and SSH to create encrypted tunnels.
IPsec in IPv6 is mandatory. No. The original specification required that all IPv6 devices support IPsec. This was changed in 2011 RFC 6434 Section 11 from MUST to SHOULD. In any case, having it available is not the same as using it.
IPsec in IPv6 is better than in IPv4. Nah. Pretty much the same.
NAT = Security. No no no no no no, and NO. NAT is not and never has been about security. It is an ingenious hack that has extended the lifespan of IPv4 many years beyond its expiration date. The little bit of obfuscation provided by address masquerading doesn’t provide any meaningful protection, and it adds considerable complexity by requiring applications and protocols to be NAT-aware. It requires a stateful firewall which must inspect all traffic, keep track of which packets go to your internal hosts, and rewrite multiple private internal addresses to a single external address. It gets in the way of IPsec, geolocation, DNSSEC, and many other security applications. It creates a single point of failure at your external gateway and provides an easy target for a Denial of Service (DoS) attack. NAT has its merits, but security is not one of them.
Source routing is built-in. This is true; whether it is desirable is debatable. Source routing allows the sender to control forwarding, instead of leaving it up to whatever routers the packets travel through, which is usually Open Shortest Path First (OSPF). Source routing is sometimes useful for load balancing, and managing virtual private networks (VPNs); again, whether it is an original feature or added later isn’t meaningful.
Source routing presents a number of security problems. You can use it to probe networks and gain information and bypass security devices. Routing Header Type 0 (RH0) is an IPv6 extension header for enabling source routing. It has been deprecated because it enables a clever DoS attack called amplification, which is bouncing packets between two routers until they are overloaded and their bandwidth exhausted.
IPv6 networks are protected by their huge size. Some people have the idea that because the IPv6 address space is so large this provides a defense against network scanning. Sorry but noooo. Hardware is cheap and powerful, and even when we have literally quintillions of potential addresses to use (an IPv6 /64 network segment is 18.4 quintillion addresses) we tend to organize our networks in predictable clumps.
The difficulties of foiling malicious network scanning are compounded by the fact that certain communications are required for computer networks to operate. The problem of controlling access is beyond the abilities of any protocol to manage for us. Read Network Reconnaissance in IPv6 Networks for a lot of interesting information on scanning IPv6 networks, which attacks require local access and which don’t, and some ways to mitigate hostile scans.
Multitudes of Attack Vectors
Attacks on our networks come from all manner of sources: social engineering, carelessness, spam, phishing, operating system vulnerabilities, application vulnerabilities, ad networks, tracking and data collection, snooping by service providers… going all tunnel vision on an innocent networking protocol misses almost everything.
Come back next week for some nice example IPv6 firewall rules.
You might want to review the previous installments in our meandering IPv6 series:
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
