IPv6 Flaw Could Greatly Amplify DDoS Attacks

tygerstripes writes "The Register has a story about the discovery of a flaw in part of the IPv6 specification which has experts scrambling to have the feature removed, or at least disabled by default. From the article: 'The specification, known as the Type 0 Routing Header (RH0), allows computers to tell IPv6 routers to send data by a specific route. Originally envisioned as a way to let mobile users to retain a single IP for their devices... RH0 support allows attackers to amplify denial-of-service attacks on IPv6 infrastructure by a factor of at least 80.' Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'"

Greedy Estonian teenage overlords!

[alienmole]

n/t

Re:Greedy Estonian teenage overlords!

[HomelessInLaJolla]

I for one welcome our greedy teenage northern European Baltic overlords!

They make awesome glaag.

Re:

[mobby_6kl]

Ah, so now we know it's actually the Russians behind this whole thing again. Oh well, they probably feel threatened by the new western IPv6 ideology, so it's understandable.

Don't confuse Estonians with Russians

[Goonie]

Estonians don't like Russians very much. They got squished between Hitler and Stalin during WWII, and ended up part of the Soviet Union for 50 years, during which their language was suppressed, hundreds of thousands of Russians were brought in, and ran the place with their typical environmental consciousness and regard for the local ways (none at all, in other words). So mistaking Estonians for Russians isn't likely to be particularly popular with Estonians.

In any case, Estonia writes with Latin characters and the language is more like Finnish than anything else, apparently.

Estonian is like Finnish indeed - Not Russian

[Siker]

My mother speaks Estonian and can with some level of adaptation understand and express herself in a way that is understood by the Finnish, which I know for certain as my father is Finnish. Unfortunately, as I grew up in Sweden and was too much of an ungrateful kid to actually learn the languages of my parents, I can't directly comment on the similarity of the languages.

I second the opinion that the reference to an 'Estonian teenager' isn't very appropriate. It continues a strong, traditional and completely

Re:

[Skapare]

Estonian (Eesti [wikipedia.org]) and Finnish (Suomi [wikipedia.org]) are close enough for mutual understanding to work. Estonians watched Helsinki TV for real news and programming when Soviet Russia occupied their country (and probably still do, but now via cable legally). But the languages are not as close as Swedish, Norwegian, and Danish are to each other.

Re:

[cp.tar]

Yup... Estonian is a more innovative language; Finnish is quite archaic.

Estonian also has more loan words from both Slavic and Germanic languages.

Anyway, it seems that's why it's easier for Estonians to understand Finnish than vice versa.

Re:Don't confuse Estonians with Russians

[teh kurisu]

...when Soviet Russia occupied their country (and probably still do, but now via cable legally).

Now that's the way to occupy a country!

Re:

[Torvaun]

Or a Bratislavian.

"A nickle! Now I'll start my own hotel chain!"

s anybody surprised that Paul Vixie

[Anonymous Coward]

was involved? If it weren't for those guys at sendmail, he'd be the number one source of Unix(tm) root exploits.

Re:s anybody surprised that Paul Vixie

[MROD]

Sendmail was the right tool for its time.

This was a time when there were huge numbers of different network address formats which had to have mail routed to/from/between. That's why it's all about rewriting addresses and not about processing the message. It is also why it's so complex as it had to be flexible enough to handle IP, Usenet (i.e. bang paths), reversed domain-type addressing so you needed a complex language to deal with it.)

Remember also, this was an age before the virus and when the most malicious thing was the war dialler or phone phreaker with his trusty 300baud accoustic coupler modem. Built in security and thinking about buffer overflows weren't really even in the background of the programmers minds back then.

Times have changed, hence Sendmail just isn't an appropriate tool anymore, just like the stage coach. It doesn't mean that it's bad software.

$300 Linux box... as if

[Ice Wewe]

Please, if he were really that smart, he'd use an OLPC!

Estonia?

[Anonymous Coward]

Clearly the problem here lies with Estonia, not IPv6.

NOT COOL.

[game kid]

Paul Vixie, president of the Internet Systems Consortium, described the fault bluntly. 'It can be exploited by any greedy Estonian teenager with a $300 Linux machine.'

That roughly translates to "It's so easy, an Estonian can do it".

Someone is gonna be buying them roast duck (with the mango salsa) soon.

Re:

[Jarjarthejedi]

He forgot Estonia!...wait, no he didn't...okay then...

Seriously though, estonia? Raise your hand if you know where that is. The only reason I ever recognize that is because I just finished a European History class where we had to memorize the current map of Europe, I'm sure if you asked me last year (or next year :P) I wouldn't know. Why not say just greedy teenager with a $300 Linux machine or, better yet, Greedy Nigerian Royalty with a $300 Linux machine.

And why a $300 machine? If it can be done with Linu

Re:

[Tancred]

Seriously...some of us have been to Estonia. Get out and see the world sometime! Food was cheap there, but I don't know about computer costs. Tallinn is a modern city and I hear the tech sector is quite advanced. Not sure if Paul's got some connection to Estonia or he just meant some place that might lack the criminal investigation resources to follow up on that sort of thing.

Re:NOT COOL.

[Echnin]

I was there for a couple of days in June last year. I was surprised to see that Linux is actually quite popular; they were selling Linux machines in the mall. The people were also very nice, and I enjoyed myself there. A half-litre of Staropramen was about an euro fifty, which added to the enjoyment. We were staying in a school there, and they had a very well-maintained computer lab (the machines weren't the fastest in the world admittedly, but more than adequate) which dual-booted XP and... I think Fedora or something. Now, Estonia is geographically a Baltic state, but culturally and linguistically they are very close to Finland, a Nordic state which as I expect most of you would know is the home of Linus Torvalds. Perhaps they feel a connection to Linus? Any Estonians here who want to shed some light on this?

Re:NOT COOL.

[Professor_UNIX]

Seriously though, estonia? Raise your hand if you know where that is.

Maybe he meant to say Elbonia.

Re:

[Skapare]

You can find out where Estonia is here [wikipedia.org].

Re:

[mcrbids]

Seriously though, estonia? Raise your hand if you know where that is. The only reason I ever recognize that is because I just finished a European History class where we had to memorize the current map of Europe, I'm sure if you asked me last year (or next year :P) I wouldn't know.

Estonia... Estonia... Eh.....

Isn't that somewhere in Asia? North of Elbonia, by Kamchatka?

Re:

[asninn]

I'll raise my hand.

Seriously, though, that comment from Vixie was entirely stupid. Estonia's being put under pressure by Russia, the FSB (one of Russia's intelligence agencies and successor of the KGB) is stirring the flames [www.hs.fi], the Estonian embassy in Moscow is being attacked (literally), the Estonian ambassador is threatened with violence and there's a huge ddos attack against a number of Estonian websites, all because a statue is being moved to a different location (it's not even as if it's being taken dow

Re:

[ObjetDart]

I'm an American.

I know where Estonia is.

I, like a significant percentage of my fellow citizens, do not support Bush, his administration, nor the neo-con obsession with war-as-a-solution-to-everything.

You sound like a bigot and I resent your smug stereotyping of Americans.

Re:NOT COOL.

[dch24]

I'm an American.

I know where Estonia is. You insensitive clod.

There. Fixed that for ya.

Re:

[pipingguy]

Bravo, dch24. Your comment deserves a +1 Insightful, not +1 Funny. No, wait, maybe the +1 Funny is more appropriate.

Re:NOT COOL.

[QuickFox]

You're right. I'm sorry. Sometimes frustration makes me overreact. My reaction was stupid. It's not the American people I'm frustrated with, it's the Bush administration. It does irk me that the American people re-elected such a destructive administration, but they were swayed by very skillful propaganda. It's no excuse for my stupidly generalizing outburst.

You're right. I'm sorry.

Except this is not stereotyping

[aepervius]

In a study on kids, it was shown that the average US kids has less of a grasp on how the world is than the average kids of other continents. How was this done ? They were all asked to make a rough map of all continent. Although all kids had a tendency to make their own continent a bit bigger in proportion to the rest of the world, the biggest & msot extrem deformation was with US kids which in many case only drew the north american continent with some "blob" beside N-A representing the other continent.

Re:NOT COOL.

[hardburn]

Quick! Find Liechtenstein on a map. How about San Marino? No cheating with Google Maps.

There are a lot of countries and even more cultures within countries. Nobody can be expected to know all of them. While many Americans should be ashamed of not being able to find Iraq on a map, plenty of other countries play a much smaller role in world politics and nobody should blame anyone for not knowing about them.

Re:

[QuickFox]

I spoke foolishly. Sorry. [slashdot.org]

Re:

[QuickFox]

You're right. Sorry. [slashdot.org]

Re:

[smoker2]

Much of the current population of the US are descendants of people who came here to get AWAY from all that - and figure out how to live together in peace ...

Ha ha ha ha ha ha ha !

Is that why they all but wiped out many of those tribes you just mentioned ?

... without tyrannical rulers and enforced, draconian, social homogenization.

Well how's that working out for ya ?

BTW, if you can show me a link to a world map showing the locations of all those tribes you mentioned I'd appreciate it - but in the meanti

Re:

[Trogre]

Much of the current population of the US are descendants of people who came here to get AWAY from all that - and figure out how to live together in peace without tyrannical rulers and enforced, draconian, social homogenization.

And just look at you now!

(I kid, I kid)

Re:

[Heir Of The Mess]

Elbonia is a whole country, not local tribal information, but I guess you were making a point.

Here's all you need to know to get up to speed on Estonia https://www.cia.gov/cia/publications/factbook/geos /en.html [cia.gov]

Now where can I bone up on the info you mentioned?

Re:

[QuickFox]

Wow. Ufff. I've already eaten my words [slashdot.org], and twice more I've said I'm sorry, linking to that comment. This is the third time.

I spoke foolishly, out of extreme frustration and irritation with a country (or perhaps I should say a government) that starts a war that is supposed to be against terrorism but has the effect of fueling terrorism, bolstering recruitment to terrorist networks, strengthening the local influence of terrorist leaders, and so on. This needlessly growing terrorism creates a feeling of power

Re:NOT COOL.

[ivothamdrup]

He may have chosen Estonia in particular because there's recently (in the last week) been DDoS attacks targeting Estonia's government websites.

Those attacks were (still are, actually) carried out not by local "greedy teenagers", but top-level Russian authorities. The large-scale attacks were traced to IP addresses in Moscow owned by the Russian presidential administration and government.

Re:

[MrNonchalant]

Someone is gonna be buying them roast duck (with the mango salsa) soon.

Either that or he can expect his server infrastructure to be down right quick.

Re:

[Opportunist]

Don't dis the Estonians! They write mighty good trojans.

Re:

[bendodge]

He said that because Estonia has 100Mbs internet connections.

Re:

[Prune]

I don't get the duck/mango reference.

Better idea

[Watson Ladd]

Don't route stuff stupidly. Instead of banning RH0, make sure it doesn't do redundant routes.

Re:Better idea

[Tuoqui]

I think the idea of RH0 is the fact that you can specify an exceptionally long route rather than using the shortest possible route to your path.

Imagine a network of 9 computers in a mesh topology. Now imagine instead of taking at most 4 hops to get to your destination you can specify it to go through every single computer on the network for a maximum of 9-10 hops. Because all of this traffic passes through each computer in the network you have amplified the power of your DoS attack by a factor of 2-3x because you are increasing the network congestion as well as potential collisions and everything else.

Now imagine the internet. I can believe it would amplify the power of DoS attacks by 80x or more if this were permitted. The fact remains is that a good network administrator will let the routers know the best routes. Why specify the route with RH0 when the routers are already built to know the best possible route (through protocols like OSPF and BGP you can even have the routers let each other know about potential problems in the network).

Re:Better idea

[Breakfast Pants]

From TFS, Originally envisioned as a way to let mobile users to retain a single IP for their devices...

Re:

[jez9999]

I don't see the connection between allowing a specific route and retaining a single IP...

Re:

[techno-vampire]

I think it's safe to say that in the usual Slashdot tradition, you didn't bother to RTFM before spouting off. The flaw has nothing to do with people accidentally specifying stupid routes, it's h4x0rs using stupid routes to DDOS one or more machines on the route as well as whatever machine they're addressing.

Re:

[Watson Ladd]

I did RTFM. What I meant is that each router along the path should check to make sure the route specified is not stupid, that is having the same IP address twice. If it does they should fix it.

Re:

[mcrbids]

it's h4x0rs using stupid routes to DDOS one or more machines on the route as well as whatever machine they're addressing.

This bug sounds alot like one that I got bitten with years ago - source routing.

RedHat 6.2 came with source routing turned on by default. Since I was using a RH 6.2 system as my router/firewall, this was particularly damning, and allowed them to compromise my X11 workstation more than once. I played cat and mouse with a hax0r who penetrated my otherwise very stiff firewall for over a mont

Even better idea

[jd]

Originally, IPv6 handled mobile IP by migrating the routing information up through the routers, and by using transitional IP addressing. You kept the same suffix, not the same address, as you moved from network to network. But for some certain length of time, you had both the old address and the new one. This allowed for a totally clean transition and has the same observable effect as source-based routing, but is not subject to this DDoS attack strategy.

IIRC, the main reason the transitional scheme was dr

Re:

[netwiz]

Yep, actually I can. Entirely too few people in the industry realize exactly how this stuff works. In all honesty, I'd been aware of this particular aspect of v6 for a while, and didn't like it at all. Seemed like a great way to completely wreck the place.

Everybody, your host ARPs for the gateway, because your packets can't have more than one destination IP in the header!

/v4 only
//been doing this too long

Re:

[Beryllium Sphere(tm)]

Not enough.

Let's say that routers search out and destroy "ping pong" routes, in their copious free time.

Malicious traffic could still route itself through every IP in your load balancing farm, so a DDoS could hit you N times with one packet. If you detect that, it could still route itself through all 13 DNS root server addresses.

I wonder how this decision got made. "Source routing" should have said "security issue" to everybody on the committee.

Re:

[QuickFox]

"Source routing" should have said "security issue" to everybody on the committee.

Indeed it should — but there's a much greater mystery here. IPv6 has been publicly known for ages. A huge number of people have known it. How come nobody has noticed this problem until now?

I'm not sure it's right to blame the committee when such a huge number of other people have missed it.

Re:

[jaredmauch]

It's more like it's a known feature. IPv6 with header stacking was supposed to solve this problem folks allegedly have with IPv4 and it's lack of extensions. Evil bit aside, it's essentially "working as designed". People spin these things up periodically where a known feature could be used (misused) in the past as well. The TCP window fiasco comes to mind. Overall this is another non-event IMHO.

A better idea.

[mustafap]

Leave it in, but advise people to disable it for network security.

That already works for other problems, right?

Re:

[Anonymous Coward]

The problem is that it's a mandatory part of the spec. BTW, Microsoft is not affected: The Windows IPv6 stack doesn't implement that feature. (It is the equivalent to source routing in IPv4, which is not allowed anywhere.)

Insensitive Clod

[Anonymous Coward]

Where can I get one of these $300 Estonian Linux machines? To heck with Dellbuntu.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[guruevi]

Hmm, just like people wouldn't switch from Coax to 8-wire UTP because Coax was more robust? Or people that wouldn't switch from Token Ring to Ethernet because Token Ring was better? Or people that wouldn't ever need the Internet? Or 640k is enough for anyone? Or "I'll never need/use a cell phone"? Or nobody will ever drop Netware...

An article that discusses the actual vulnerability

[slashdotmsiriv]

http://www.potaroo.net/ispcol/2007-05/6pong.html [potaroo.net]

Re:Who gives a $%##?

[kestasjk]

I predict mobile carriers and devices will use it for VoIP, where it's a necessity, everyone else will follow.

Re:

[Blondito]

Why ? Why is it a necessity ? Do you really think having publicly addressed cell phones and voip handsets in their millions on the internet is going to a be a good thing ? NAT might not be the prettiest idea around but it has advantages beyond just expanding the available ip address space, and the biggest advantage is security. Wouldn't it be great if I constantly had to patch my cell phone software because of venerability's.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Intended or not...

[ZxCv]

NAT is *not* a security mechanism.

Whether or not it was intended, NAT *is* a security mechanism. Obviously not the best or the prettiest, but to say it provides no additional security is just ignorant.

Th "security" of NAT is a side effect of it BREAKING the peer to peer model of the internet.

Side effect or not, it provides additional security no matter how you look at it. From a purist's point of view, it certainly does break the peer to peer model of the internet. But from a practical user's standpoint,

Re:

[Hatta]

NAT is not a security mechanism at all. Imagine the simplest nat configuration where you have a 1:1 correlation between the internal IP and the external IP. No security there. The security comes from blocking ports which can be done just by a firewall with no address translation. Just because most firewalls come with NAT doesn't mean they're the same thing.

But from a practical user's standpoint, it rarely if ever breaks anything, provides additional functionality and security, and is usually brain-dead s

Re:

[McGiraf]

"constantly had to patch my cell phone software because of venerability's."

When a piece of software is old enough to be called venerable, it's surely more than time to patch it!

Re:

[TheRaven64]

Do you really think having publicly addressed cell phones and voip handsets in their millions on the internet is going to a be a good thing

Yes. Want to do a file transfer between your machine and your friend's, when both of you are on mobile connections? Well, it's pretty easy, your IP is 10.23.45.102 and his is 10.24.53.12, on of you just needs to connect to the other. Oh, you're using different mobile providers? And you're on different instances of the 10/8 private subnet? Well, then you're screwed, unless one of you happens to have a server outside the enormous NAT'd range that you can use as an intermediate.

NAT might not be the prettiest idea around but it has advantages beyond just expanding the available ip address space, and the biggest advantage is security

NAT gives almost no sec

Re:

[alphamugwump]

There's 6 billion people on earth, and 4 billion possible IP addresses (less, actually). Sooner or later, something is going to fail hard. At that point, they won't have a choice.

Re:

[Fred Ferrigno]

The point is that NAT has obviated the need for everyone to have a publicly-addressable IP address. Remember when Qatar [wikipedia.org] got blocked from Wikipedia? An entire country sits behind a single IP address. There are roughly 800,000 people in Qatar. At that rate, we only need about 7500 IP addresses for the entire planet.

As silly as that sounds, it might not be too far off from what ends up happening. If you want your own IP address, be prepared to pay a premium.

Re:

[jez9999]

How the heck does that work? Even NAT is limited to the number of local ports available, about 64k. What is 65k people in Qatar try to connect out at once?

Re:

[TheRaven64]

A TCP connection is uniquely identified by the tuple containing the source and destination ports and IPs. Since IPv4 allows 2^32 addresses on 2^16 ports, you could have a theoretical maximum of just under[1] 2^48 outbound connections on the same port, as long as they were all to different remote (IP,port) pairs. Last time I checked, the record for the maximum number of connections being handled by a single machine was over two million (on a FreeBSD box, although this was some years ago).

[1]You need to k

Re:Who gives a $%##?

[Organic Brain Damage]

Nevermind the fact that the insanely ridiculous kludge...

Check our DNA. We are, essentially, insanely ridiculous kludges. Nothing but organically accreted fixes to a long series of problems. Why should anyone be surprised that our technology mirrors this fundamental aspect of our selves?

The Japanese?

[jd]

They already deploy IPv6 nationally. Just because the US domestic market is more sluggish than a salted slug, it would be wrong to assume everyone else is as bad.

What's more, IPv4+NAT (as standard) doesn't give you half the features of IPv6. I've listed them before, I'll list them again here. Sure, not many use them NOW, but most of these are major areas of growth and Internet-aware devices will (sooner or later) have to use IPv6 to get the support they need.

• IPSec
• Anycasting
• Multicasting the ISPs can't turn off
• Mobile IP
• Mobile Networks
• Extensible Headers
• Router Discovery
• Automatic Configuration
• Per-destination MTU optimization

There are probably a whole bunch of other advantages not listed here. Go to your local USAGI dealership and test drive an IPv6 today.

Re:

[MichaelSmith]

Because too many people are happy with the current IPv4 + NAT insanity that is in place now

NAT is great for real world politics. I have some small networks which need to be set up in a certain way, and connected to the company LAN for the time being. But I don't want to have to redesign them to suit the current fashion in office networks so I just say to the network nazis that this network is really one box and you don't have to know what is behind the box. Its easier that way, believe me.

Same with my hom

Re:

[jlarocco]

NAT is great for real world politics. I have some small networks which need to be set up in a certain way, and connected to the company LAN for the time being. But I don't want to have to redesign them to suit the current fashion in office networks so I just say to the network nazis that this network is really one box and you don't have to know what is behind the box. Its easier that way, believe me.

I'm pretty sure you can use NAT and IPv6 at the same time. With IPv4 you're forced to use NAT because the

Re:

[tcopeland]

I don't know, looks like it's getting used in the 2008 Olympics [blogs.com] (via thenewsroom [thenewsroom.com]).

Re:

[asdfghjklqwertyuiop]

What's so insecure about IPv6?

The IETF screwed the pooch on this one

[possible]

As I understand it, it is not sufficient to simply ignoring the rthdr0 headers. To protect the infrastructure, the safest thing is for all implementations to immediately DROP any packets containing these headers to keep them from propagating further.

However, there are still people in the IETF who don't want to recognize the severity of their mistake. Why do we, as a community of implementors and consumers, continue to trust these guys as a protocol standards body? It is obvious that they don't understand how complexity is the enemy of security. They add features to protocols without any concrete examples of how the feature would be used, simply because they don't ever want to make a decision. Rather than saying "No, this feature is not worth the extra complexity, we are not going to include it", it is always "OK, we will allow this as an optional mode of operation".

In this case, this was done in a particularly egregious fashion, considering the security issues with source routing have been known since at least '93 or so (in IPv4).

Re:

[MichaelSmith]

As I understand it, it is not sufficient to simply ignoring the rthdr0 headers. To protect the infrastructure, the safest thing is for all implementations to immediately DROP any packets containing these headers to keep them from propagating further.

Well OK, but if you are on a closed network you might want to have this kind of control over routing. It should be supported, even if it is disabled on public networks.

Re:The IETF screwed the pooch on this one

[Trepalium]

Standards bodies attract certain types of people, and it's no real surprise that the IETF is infested with them now. Read an ITU standard some day if you want to know how bad it can be. There's a reason why we use TCP/IP instead of the OSI protocol, why we use SMTP instead of X.400, LDAP instead of X.500, etc. For a rather depressing story about standards bodies, read the Wikipedia article about ATM [wikipedia.org] about the choice of 48-byte payloads. I seriously doubt the IETF will ever be able to exercise these people from it's midst. Many of them were placed there to represent the interests of a particular corporation. Even if you replace the IETF with another standards organization, these same people would simply be moved into that organization.

What's with all the anti-IPv6 stuff lately?

[Ant P.]

Is something bigger going on that we don't know about? Just wondering.

Re:What's with all the anti-IPv6 stuff lately?

[laffer1]

People are actually starting to look at IPv6 security. The recent OpenBSD issues highlighted the problem. OpenBSD, FreeBSD and MidnightBSD should all be patched for this issue. OpenBSD chose to turn it off completely for now. There is some talk about adding support to PF for blocking specific traffic. FreeBSD and MidnightBSD both used a patch that adds a new sysctl to disable the feature by default, but still allow it. As I recall, the reason its in the spec to begin with is for research purposes. I don't follow DragonFly or NetBSD enough to know if they've patched yet.

Nothing New

[jjeffrey]

How is this different to source routing packets in IPv4? Surely people will just configure firewalls and hosts to drop these packets in exactly the same way as is done for IPv4 now.

Re:

[Opportunist]

...or not, just like they don't now.

ISPs will. No doubt about that. Will end users become magically enlightened over night when IPv6 finally hits the masses? I kinda doubt that.

Security Through Poorly Understood New Features

[WED Fan]

Got to love new tech biting you in the butt.

Act NOW! The world is falling!

[Opportunist]

Oh. No, wait, he said IPv6. Ok, then we got a little time to fix it. Even though it's about due in 2 years to become the next big thing. It has to, it's been due in 2 years for about 10 years now.

Early IPv6 drafts had limited the Type 0 route len

[Jim Logajan]

Some history and information:

The earlier drafts of the IPv6 RFCs had limited the Type 0 routing addresses to 23 per extension header. The current limit is theoretically 128, though maximum packet size through any one link will tend to get in the way.

The number of times an IPv6 packet may ping-pong is limited by the Hop Limit field, which is an 8 but unsigned integer (i.e. 255 times).

While it is true that a very permissive router or host may process a packet with more than one Type 0 routing header, RFC 2460 strongly recommends that a router or host only process one such extension header.

One product that has been designed to locate implementation problems with IPv6 stacks (it can't do anything about design flaws!) is the Maxwell product from http://www.iwl.com/ [iwl.com]. Truth in advertising requires that I point out I helped create some of the test cases for that product (however, I am not an employee of IWL or own any equity or options on equity in the company).

Aren't the old excuses still good anymore?

[ClosedSource]

Isn't the conventional wisdom that due to the end-to-end argument, it's OS and application problem by definition?

Re:

[Vegeta99]

Asking people to "disable by default" seems to be the old excuse.

Make the default "Off"

[mark-t]

Because it seems to me that this could be useful, so it makes sense to still forward these sorts of packets along.. but the default would be to do it optimally rather than following the explicit route.

One possible and very practical use for this could be to send data across networks that don't happen share the same address space (ignoring the fact that IPv6 gives you so many addresses that you probably wouldn't ever _need_ to use different address spaces, it's still potentially possible that somone might

Already fixed in OpenBSD

[whamett]

The patch was released on April 27 [openbsd.org]. Now that's quick!

The OpenBSD project does a great job with security [openbsd.org]; other development teams could learn a lot from them.

Re:

[DaleGlass]

I looked at the patch, and placing #if 0 / #endif around the code isn't particularly impressive.

Sure, good job on getting it out of the way, but it's not like they came up with an actual fix, they simply disabled it.

typical design stupidity

[nanosquid]

Instead of making the next generation IP standard a simple extension that makes address fields a little larger and maybe fixes one or two long standing bugs, the IPv6 people redesigned things from scratch.

It's no wonder people are reluctant to adopt IPv6.

Why Estonians?

[Reigo Reinmets]

Excuse me, but i believe Russians are the DDOS attackers, specially lately, when they are bombing Estonia IT networks because of their stupid monument.

I live in Estonia, and no, i don't speak Russian language.

Now, maybe a big part of the world doesn't even know where Estonia is, but We are quite advanced IT country, here's some examples:
* We got National ID cards - and loads of services that use it as identification
* We just launched a cellphone based ID service, that basically replaces the need for a smart

Original CanSecWest presentation

[mrogers]

The CanSecWest presentation that started all this is available here [secdev.org].

Re:

[Drooling Iguana]

Well that covers a lot more people, then.

Re:

[BluBrick]

Hei! That's not a monkey on my arm, it's a chimpanzee!

Re:

[QuickFox]

You forgot his purple t-shirt with a picture of a tiger in yellow and green attacking a mouse. How could you forget the t-shirt? Especially that t-shirt!

Re:

[McGiraf]

hey! It's not nice to call people nerds.

Re:

[jguthrie]

I've been using IPv6 for nearly a decade, but most of the IPv6 traffic on my LAN is local to the LAN. There are very few interesting places on the Internet that have IPv6 addresses and fewer end users coming from IPv6 capable nodes.

Re:

[jguthrie]

The benefits? None that I can think of at the moment. In fact, while my initial connection was a pretty stable one to the 6bone through Sprint, the current connection is flaky as hell and it's a minor pain to keep checking it to make sure I can ping the other end of the tunnel. One of these days, I'll automate the testing and reconnection of it, but it'll have to wait until it's a whole lot more important to me. Mostly I just ignore it and test it when I think about it. The only thing that it hurts whe

Re:

[MadAhab]

NAT sux. it's kind of a hack and it complicates firewalling greatly.

IPv6 does not forbid firewalls. in fact they will work better without NAT.

The complaint makes no sense

[dbIII]

The first one... no use of firewalls or NAT devices.

Neither does IPv4 - these things are seperate to the spec and could be added on to IPv6 as well - although NAT is a kludge to get around running out of addresses which you would not currently need for IPv6.

There are a lot of IPv6 firewalls out there, the traffic has to be routed to get to you and your firewall at the incoming connection can block everything other than the required ports so long as it can understand IPv6.

There's some good books out there o

Re:

[Dunbal]

a racial slur

Being Estonian is not a slur, sir, it's a compliment!

It all depends on your point of view, racist :P