Date: Tue, 22 Jul 2014 11:25:37 -0700 From: =?UTF-8?B?56We5piO6YGU5ZOJ?= <jinmei@wide.ad.jp> To: Loganaden Velvindron <logan@elandsys.com> Cc: FreeBSD Net <freebsd-net@freebsd.org>, bz@freebsd.org, gnn@freebsd.org Subject: Re: IPv6 nodeinfo default behaviour Message-ID: <CAJE_bqeTmhAYztPDuWH_4Tth1ymHbQKZx38n6Ttms9rvrjw=GA@mail.gmail.com> In-Reply-To: <20140722170150.GA971@mx.elandsys.com> References: <20140720090410.GA7990@mx.elandsys.com> <CAJE_bqexFJJBNQNt5-2YJ-PK%2B=1Hux0r0avMFAuX1bS5mZCT%2Bg@mail.gmail.com> <20140722170150.GA971@mx.elandsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At Tue, 22 Jul 2014 10:01:50 -0700, Loganaden Velvindron <logan@elandsys.com> wrote: > > > Security Considerations > > > > > > This protocol has the potential of revealing information useful to a > > > would-be attacker. An implementation of this protocol MUST have a > > > default configuration that refuses to answer queries from global- > > > scope [3] addresses. > > > > > > I suggest that we switch to 0 by default to be more RFC compliant. > > > > Are you referring to the value of '(V_)icmp6_nodeinfo'? > > I'm referring to the sysctl: > > net.inet6.icmp6.nodeinfo. These two are essentially the same in this context: this sysctl is an interface to (V_)icmp6_nodeinfo. This variable is set to ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK by default, and since ICMP6_NODEINFO_FQDNOK and ICMP6_NODEINFO_NODEADDROK are 0x1 and 0x2, respectively, the default value of the sysctl variable is 3 by default. In your original message, you said > > > I suggest that we switch to 0 by default to be more RFC compliant. and I tried to point out that it didn't make sense because "to be more RFC compliant" it doesn't have to switch to 0, it just needs to have the ICMP6_NODEINFO_GLOBALOK flag (0x8) cleared, and the current default meets the condition already. Now you're changing the reason: > I think that it's sensible to turn it to 0 by default, unless you need > it. Unlike being "RFC compliant", whether something is "sensible" is usually subjective, and different people may have different opinions. Personally, I often find "ping6 -w" quite useful for debugging purposes, and I think limiting its use to link-local by default gives a reasonable level of defense (and, disabling it by default would reduce the usability pretty much). So I'd rather prefer keeping the current default, but, again, other people may have a different preference. -- JINMEI, Tatuya
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJE_bqeTmhAYztPDuWH_4Tth1ymHbQKZx38n6Ttms9rvrjw=GA>