Date: Mon, 11 Dec 2017 14:55:28 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 224247] RFC 6980 requires to drop fragmented IPv6 neighbour discovery Message-ID: <bug-224247-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224247 Bug ID: 224247 Summary: RFC 6980 requires to drop fragmented IPv6 neighbour discovery Product: Base System Version: 11.1-STABLE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: lutz@donnerhacke.de Created attachment 188720 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D188720&action= =3Dedit Drop malicious packets as required by RFC 6980 RFC6980 says: ---8<--- Nodes MUST silently ignore the following Neighbor Discovery and SEcure Neighbor Discovery messages if the packets carrying them include an IPv6 Fragmentation Header: o Neighbor Solicitation o Neighbor Advertisement o Router Solicitation o Router Advertisement o Redirect o Certification Path Solicitation Nodes SHOULD normally process the following messages when the packets carrying them include an IPv6 Fragmentation Header: o Certification Path Advertisement SEND nodes SHOULD NOT employ keys that would result in fragmented CPA messages. ---8<--- A recent talk about this RFC showed, that FreeBSD fails in all respects to fulfill the minimal protection: http://www.denog.de/de/meetings/denog9/agenda.html#rfc6980 I hope, that the attached patch does fix the issue: - Fragment handling becomes a protocol specific mbuf-flag. - At detailed protocol level silent drop is implemented. - Certification Path messages are unsupported, so no sysctl to deal with the SHOULD is needed. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-224247-8>