Date: Mon, 25 Apr 2022 04:42:40 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 263288] IPv6 system not responding to Neighbor Solicitation Message-ID: <bug-263288-7501-TSucn5xdSF@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-263288-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-263288-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D263288 --- Comment #16 from Zhenlei Huang <zlei.huang@gmail.com> --- (In reply to wcarson.bugzilla from comment #15) >From the pcap you provided, I see your upstream router is advertising prefix without the 'on-link' flag. It is basically same as my testing environment = #12 except that your provider utilize HSRP to achieve first hop router failover. I can confirm CentOS 8 work greatly with such case. It seems Linux is not affected by CVE-2008-2476. The problem is a little complicated. If it is a good practice for network a= dmin to advertise IPv6 prefix without 'on-link' flag, I think the problem will be common eventually. As `net.inet6.icmp6.nd6_onlink_ns_rfc4861` has some side effect, I wonder if there is better solution to resolve CVE-2008-2476. The problem affects 12.3, 13.0, 13.1-RC4, stable/13 and current. To work ar= ound it, set 'net.inet6.icmp6.nd6_onlink_ns_rfc4861' to none-zero. As IPv6 addresses is sufficient, most cloud providers provide at least a si= ngle dedicated /64 block to the customer. In this case I think CVE-2008-2476 cou= ld not happen, thus it is safe for providers to advertise prefixes with 'on-li= nk' flag, or for FreeBSD users to change `net.inet6.icmp6.nd6_onlink_ns_rfc4861= ` to none-zero. @wcarson.bugzilla you can contact your provider to confirm if the prefix 2600:3c00::/64 is dedicated for your host. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-263288-7501-TSucn5xdSF>