From owner-freebsd-net@FreeBSD.ORG Tue Jul 22 17:01:53 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C9DE83F9; Tue, 22 Jul 2014 17:01:53 +0000 (UTC) Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 7ADF62CD9; Tue, 22 Jul 2014 17:01:53 +0000 (UTC) Received: from mx.elandsys.com (IDENT:logan@localhost [127.0.0.1]) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id s6MH1o9L005568 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 Jul 2014 10:01:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1406048511; x=1406134911; bh=cSmyrbB1jGz/kfDYG5r75mG7SbI/h62rhaBjwtcNS/o=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=v3qVoYUX4bIzw3dSD2wgYbfWjwTfcfayxzfMiL0fyx5dJxid/yXhUM3EMBh9zV+9C SKIE3NwwMQb74fVWEbOombmOzLfgrdZ3KYuRTeRzHfOSWBF8gNbUulOaNsRcsPk/Ma PKnSizp2z3viMYB3TbxdNxa1nPirnZl9G9qyYitE= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1406048511; x=1406134911; i=@elandsys.com; bh=cSmyrbB1jGz/kfDYG5r75mG7SbI/h62rhaBjwtcNS/o=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=Br8PeVBlCuFtxJsGF33wq0jvzRDqFEtE3FcP5//dqRcl/UqknY/Uve0Fujmq+Osb7 IuL9PhP7jde2IAj+4dnSOUnIFwPeDv0wpuHnGzPxRkGwWykgcP3il1c1Tx1PgQ+BRM gH4UtpC8N0mZEg3LXZnLCpTKIt1nARPzNSQ/BGlU= Received: (from logan@localhost) by mx.elandsys.com (8.14.5/8.14.5/Submit) id s6MH1oFo016517; Tue, 22 Jul 2014 10:01:50 -0700 (PDT) X-Authentication-Warning: mx.elandsys.com: logan set sender to logan@elandsys.com using -f Date: Tue, 22 Jul 2014 10:01:50 -0700 From: Loganaden Velvindron To: Jinmei Subject: Re: IPv6 nodeinfo default behaviour Message-ID: <20140722170150.GA971@mx.elandsys.com> References: <20140720090410.GA7990@mx.elandsys.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-net@freebsd.org, bz@freebsd.org, gnn@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2014 17:01:54 -0000 On Tue, Jul 22, 2014 at 09:53:13AM -0700, ???? wrote: > At Sun, 20 Jul 2014 02:04:10 -0700, > Loganaden Velvindron wrote: > > > Security Considerations > > > > This protocol shares the security issues of ICMPv6 that are > > documented in the "Security Considerations" section of [5]. > > > > This protocol has the potential of revealing information useful to a > > would-be attacker. An implementation of this protocol MUST have a > > default configuration that refuses to answer queries from global- > > scope [3] addresses. > > > > I suggest that we switch to 0 by default to be more RFC compliant. > > Are you referring to the value of '(V_)icmp6_nodeinfo'? I'm referring to the sysctl: net.inet6.icmp6.nodeinfo. In FreeBSD it's 3 by default. OpenBSD switched it to 0, then later removed it completely. I think that it's sensible to turn it to 0 by default, unless you need it. > > If so, and to be compliant with the above MUST of the RFC, it doesn't > seem to have to be 0; it only has to have the ICMP6_NODEINFO_GLOBALOK > bit cleared: > > /* > * Validate IPv6 source address. > * The default configuration MUST be to refuse answering queries from > * global-scope addresses according to RFC4602. > * Notes: > * - it's not very clear what "refuse" means; this implementation > * simply drops it. > * - it's not very easy to identify global-scope (unicast) addresses > * since there are many prefixes for them. It should be safer > * and in practice sufficient to check "all" but loopback and > * link-local (note that site-local unicast was deprecated and > * ULA is defined as global scope-wise) > */ > if ((V_icmp6_nodeinfo & ICMP6_NODEINFO_GLOBALOK) == 0 && > !IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) && > !IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src)) > goto bad; > > and the default value already seems to meet this condition: > > VNET_DEFINE(int, icmp6_nodeinfo) = > (ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK); > > -- > JINMEI, Tatuya > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"