From owner-freebsd-net@freebsd.org  Sun Apr  5 12:33:39 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 725CE2B5B88
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Sun,  5 Apr 2020 12:33:39 +0000 (UTC)
 (envelope-from dk@neveragain.de)
Received: from mail.neveragain.de (chao.neveragain.de [94.16.113.56])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 48wCks1Dgfz4sL3;
 Sun,  5 Apr 2020 12:33:23 +0000 (UTC)
 (envelope-from dk@neveragain.de)
Received: from [IPv6:2a02:908:113b:fb5c:6c37:8e76:914:9f97] (unknown
 [IPv6:2a02:908:113b:fb5c:6c37:8e76:914:9f97])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.neveragain.de (Postfix) with ESMTPSA id 2F5422332F7;
 Sun,  5 Apr 2020 14:33:13 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=neveragain.de;
 s=2015-10; t=1586089993;
 bh=bs1MDp3zX50qujI2HPCwOV9qkjPsX8ZwHc+S/Wra6IM=;
 h=Subject:From:In-Reply-To:Date:Cc:References:To;
 b=jBh9gXyEfrb/njdAKAqg5N0kPcYAGf0NoCjEPIa9zHQ0THOdXqf+ef6gKpSPeJc1O
 MOKZeDJoGbhSgB/HlW6ltcjXVkUitUhDERN8ls3fQRh1RWnxvJNTOSM7hDVuQ5AYVb
 serJmQJx8dSggfHvzOZ1g8K+6I6nPqN+jwElORHtB49RPgo4xNBf3Y1ACfnvtOSjDN
 8PNfU+dA092NbkaeIdlS/OnN376DXfWxLwawaleuPuii2UlkGfW8LHWLAzoIkuTI+H
 EhH18me6ZhjVZymyGKzB3Xs06z+v0DhhzP7mg2ObUCNqCzXjrO1ElcR7wk2JiSYavj
 VQvU+FNqOQ+AA==
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Subject: Re: Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain)
From: =?utf-8?Q?Dennis_K=C3=B6gel?= <dk@neveragain.de>
In-Reply-To: <m1j9pbX-0000F6C@stereo.hq.phicoh.net>
Date: Sun, 5 Apr 2020 14:33:13 +0200
Cc: freebsd-net@freebsd.org, Hiroki Sato <hrs@freebsd.org>,
 "Bjoern A. Zeeb" <bz@FreeBSD.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EED1B4F2-355C-4954-82B2-601F24C93D18@neveragain.de>
References: <m1j9pbX-0000F6C@stereo.hq.phicoh.net>
To: Philip Homburg <pch-fbsd-2@u-1.phicoh.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-Rspamd-Queue-Id: 48wCks1Dgfz4sL3
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=neveragain.de header.s=2015-10 header.b=jBh9gXyE;
 dmarc=pass (policy=none) header.from=neveragain.de;
 spf=pass (mx1.freebsd.org: domain of dk@neveragain.de designates 94.16.113.56
 as permitted sender) smtp.mailfrom=dk@neveragain.de
X-Spamd-Result: default: False [-2.63 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 R_DKIM_ALLOW(-0.20)[neveragain.de:s=2015-10];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[4];
 R_SPF_ALLOW(-0.20)[+a:mail.neveragain.de]; MV_CASE(0.50)[];
 MIME_GOOD(-0.10)[text/plain]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[neveragain.de:+];
 DMARC_POLICY_ALLOW(-0.50)[neveragain.de,none];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 IP_SCORE(-0.13)[asn: 197540(-0.61), country: DE(-0.02)];
 ASN(0.00)[asn:197540, ipnet:94.16.112.0/21, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Apr 2020 12:33:39 -0000

Dear all,

Am 05.03.2020 um 13:27 schrieb Philip Homburg =
<pch-fbsd-2@u-1.phicoh.com>:
> In your letter dated Wed, 4 Mar 2020 21:10:09 +0100 you wrote:
>> This flag was introduced in a 2008 Security Advisory, because =
"non-neighbors"=20
>> could abuse Neighbor Discovery to potentially cause denial-of-service =
situatio
>> ns.
>> In my situation it caused valid Neighbor Solicitation packets from my =
provider
>> to be silently dropped, making the connection effectively unusable.
> [...]
> That said, there is a specific check in processing Neighbor Discovery =
packets
> that the hop limit is equal to 255. In that sense any node that =
manages to
> send a packet with hop limit 255 is a neighbor, so I don't quite see =
how there
> could be an attack by non-neighbors.

some time has passed, therefore I'd like to ask if and how we should =
proceed on this issue.

AFAICT nobody came up with a good reason to keep the current default, at =
least for host nodes.

Given that the default causes weird issues in some few environments, it =
puts FreeBSD at a disadvantage -- other OS, even some other BSDs, "just =
work".
Another factor is that this problem appears only intermittently and is =
very not-obvious to figure out.

Basically,
1) change default to NOT ignore those NSol requests -- or
2) always print the corresponding warning message (instead of debug=3D1) =
-- or
3) do nothing.

I'm not too familiar with FreeBSD procedures, should I open an issue in =
bugzilla? And/or submit a patch?

Thanks in advance,
- D.