Date: Tue, 22 Jul 2014 12:35:22 -0700 From: Loganaden Velvindron <logan@elandsys.com> To: jinmei <jinmei@wide.ad.jp> Cc: FreeBSD Net <freebsd-net@freebsd.org>, bz@freebsd.org, gnn@freebsd.org Subject: Re: IPv6 nodeinfo default behaviour Message-ID: <20140722193521.GA20775@mx.elandsys.com> In-Reply-To: <CAJE_bqeTmhAYztPDuWH_4Tth1ymHbQKZx38n6Ttms9rvrjw=GA@mail.gmail.com> References: <20140720090410.GA7990@mx.elandsys.com> <CAJE_bqexFJJBNQNt5-2YJ-PK%2B=1Hux0r0avMFAuX1bS5mZCT%2Bg@mail.gmail.com> <20140722170150.GA971@mx.elandsys.com> <CAJE_bqeTmhAYztPDuWH_4Tth1ymHbQKZx38n6Ttms9rvrjw=GA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 22, 2014 at 11:25:37AM -0700, ???? wrote: > At Tue, 22 Jul 2014 10:01:50 -0700, > Loganaden Velvindron <logan@elandsys.com> wrote: > > > > > Security Considerations > > > > > > > > This protocol has the potential of revealing information useful to a > > > > would-be attacker. An implementation of this protocol MUST have a > > > > default configuration that refuses to answer queries from global- > > > > scope [3] addresses. > > > > > > > > I suggest that we switch to 0 by default to be more RFC compliant. > > > > > > Are you referring to the value of '(V_)icmp6_nodeinfo'? > > > > I'm referring to the sysctl: > > > > net.inet6.icmp6.nodeinfo. > > These two are essentially the same in this context: this sysctl is an > interface to (V_)icmp6_nodeinfo. This variable is set to > ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK by default, > and since ICMP6_NODEINFO_FQDNOK and ICMP6_NODEINFO_NODEADDROK are 0x1 > and 0x2, respectively, the default value of the sysctl variable is 3 > by default. > > In your original message, you said > > > > > I suggest that we switch to 0 by default to be more RFC compliant. > > and I tried to point out that it didn't make sense because "to be more > RFC compliant" it doesn't have to switch to 0, it just needs to have > the ICMP6_NODEINFO_GLOBALOK flag (0x8) cleared, and the current > default meets the condition already. > > Now you're changing the reason: > > > I think that it's sensible to turn it to 0 by default, unless you need > > it. > > Unlike being "RFC compliant", whether something is "sensible" is Sorry for the confusion I created. > usually subjective, and different people may have different opinions. > Personally, I often find "ping6 -w" quite useful for debugging > purposes, and I think limiting its use to link-local by default gives Agreed. Perhaps we should enable it only when we need to debug. > a reasonable level of defense (and, disabling it by default would > reduce the usability pretty much). So I'd rather prefer keeping the > current default, but, again, other people may have a different > preference. > > -- > JINMEI, Tatuya > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140722193521.GA20775>