From owner-freebsd-net@FreeBSD.ORG Tue Jul 22 19:35:25 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B34B1DDF; Tue, 22 Jul 2014 19:35:25 +0000 (UTC) Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 5FE3C2C62; Tue, 22 Jul 2014 19:35:25 +0000 (UTC) Received: from mx.elandsys.com (IDENT:logan@localhost [127.0.0.1]) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id s6MJZMHa014754 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 Jul 2014 12:35:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1406057724; x=1406144124; bh=kbc9KddkrpQzf30EEZWqRgfXlnNk+3U1usqYaSOjWWw=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=VnptWyffMNUl79TZlYJ85iDEBvkgODRfJ81DzaNfLStKh5ZUKSsOaZ6bCGVwkxfLI uEQwZK4ELbbuJPo3Q0vt0JoapPbWJHOi8bdDj8G5s0dfiAMQ2aGb4vpJ0JJNxATs/3 PP6s0Ximdc3Y/4qpp1uOS1zX+MlGz4K25w5ys96A= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=elandsys.com; s=mail; t=1406057724; x=1406144124; i=@elandsys.com; bh=kbc9KddkrpQzf30EEZWqRgfXlnNk+3U1usqYaSOjWWw=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=OFqaHGIdB/HY7kZMVpkvD7TpkW5SSOsMC2g/98MkcZ13GEVvJqVX/woRlbw4dvJ+n qCX42QVImmUiJYbXbHUlnWX9RGMdzfMEPTMZyVVHkKr24TmGzpSwR15uvFBFVEHSjM zMO6sFTxoTFwN8r2zP6fm/k7JJavRAjpTcO1qiRY= Received: (from logan@localhost) by mx.elandsys.com (8.14.5/8.14.5/Submit) id s6MJZMde013237; Tue, 22 Jul 2014 12:35:22 -0700 (PDT) X-Authentication-Warning: mx.elandsys.com: logan set sender to logan@elandsys.com using -f Date: Tue, 22 Jul 2014 12:35:22 -0700 From: Loganaden Velvindron To: jinmei Subject: Re: IPv6 nodeinfo default behaviour Message-ID: <20140722193521.GA20775@mx.elandsys.com> References: <20140720090410.GA7990@mx.elandsys.com> <20140722170150.GA971@mx.elandsys.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: FreeBSD Net , bz@freebsd.org, gnn@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2014 19:35:25 -0000 On Tue, Jul 22, 2014 at 11:25:37AM -0700, ???? wrote: > At Tue, 22 Jul 2014 10:01:50 -0700, > Loganaden Velvindron wrote: > > > > > Security Considerations > > > > > > > > This protocol has the potential of revealing information useful to a > > > > would-be attacker. An implementation of this protocol MUST have a > > > > default configuration that refuses to answer queries from global- > > > > scope [3] addresses. > > > > > > > > I suggest that we switch to 0 by default to be more RFC compliant. > > > > > > Are you referring to the value of '(V_)icmp6_nodeinfo'? > > > > I'm referring to the sysctl: > > > > net.inet6.icmp6.nodeinfo. > > These two are essentially the same in this context: this sysctl is an > interface to (V_)icmp6_nodeinfo. This variable is set to > ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK by default, > and since ICMP6_NODEINFO_FQDNOK and ICMP6_NODEINFO_NODEADDROK are 0x1 > and 0x2, respectively, the default value of the sysctl variable is 3 > by default. > > In your original message, you said > > > > > I suggest that we switch to 0 by default to be more RFC compliant. > > and I tried to point out that it didn't make sense because "to be more > RFC compliant" it doesn't have to switch to 0, it just needs to have > the ICMP6_NODEINFO_GLOBALOK flag (0x8) cleared, and the current > default meets the condition already. > > Now you're changing the reason: > > > I think that it's sensible to turn it to 0 by default, unless you need > > it. > > Unlike being "RFC compliant", whether something is "sensible" is Sorry for the confusion I created. > usually subjective, and different people may have different opinions. > Personally, I often find "ping6 -w" quite useful for debugging > purposes, and I think limiting its use to link-local by default gives Agreed. Perhaps we should enable it only when we need to debug. > a reasonable level of defense (and, disabling it by default would > reduce the usability pretty much). So I'd rather prefer keeping the > current default, but, again, other people may have a different > preference. > > -- > JINMEI, Tatuya > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"