Date: Sun, 5 Apr 2020 14:33:13 +0200 From: =?utf-8?Q?Dennis_K=C3=B6gel?= <dk@neveragain.de> To: Philip Homburg <pch-fbsd-2@u-1.phicoh.com> Cc: freebsd-net@freebsd.org, Hiroki Sato <hrs@freebsd.org>, "Bjoern A. Zeeb" <bz@FreeBSD.org> Subject: Re: Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain) Message-ID: <EED1B4F2-355C-4954-82B2-601F24C93D18@neveragain.de> In-Reply-To: <m1j9pbX-0000F6C@stereo.hq.phicoh.net> References: <m1j9pbX-0000F6C@stereo.hq.phicoh.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear all, Am 05.03.2020 um 13:27 schrieb Philip Homburg = <pch-fbsd-2@u-1.phicoh.com>: > In your letter dated Wed, 4 Mar 2020 21:10:09 +0100 you wrote: >> This flag was introduced in a 2008 Security Advisory, because = "non-neighbors"=20 >> could abuse Neighbor Discovery to potentially cause denial-of-service = situatio >> ns. >> In my situation it caused valid Neighbor Solicitation packets from my = provider >> to be silently dropped, making the connection effectively unusable. > [...] > That said, there is a specific check in processing Neighbor Discovery = packets > that the hop limit is equal to 255. In that sense any node that = manages to > send a packet with hop limit 255 is a neighbor, so I don't quite see = how there > could be an attack by non-neighbors. some time has passed, therefore I'd like to ask if and how we should = proceed on this issue. AFAICT nobody came up with a good reason to keep the current default, at = least for host nodes. Given that the default causes weird issues in some few environments, it = puts FreeBSD at a disadvantage -- other OS, even some other BSDs, "just = work". Another factor is that this problem appears only intermittently and is = very not-obvious to figure out. Basically, 1) change default to NOT ignore those NSol requests -- or 2) always print the corresponding warning message (instead of debug=3D1) = -- or 3) do nothing. I'm not too familiar with FreeBSD procedures, should I open an issue in = bugzilla? And/or submit a patch? Thanks in advance, - D.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EED1B4F2-355C-4954-82B2-601F24C93D18>