From owner-freebsd-net@freebsd.org Thu Mar 5 12:28:08 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C8E8A26806E for ; Thu, 5 Mar 2020 12:28:08 +0000 (UTC) (envelope-from pch-b9D3CB0F5@u-1.phicoh.com) Received: from stereo.hq.phicoh.net (stereo6-tun.hq.phicoh.net [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48Y9520rmvz46Zy for ; Thu, 5 Mar 2020 12:28:05 +0000 (UTC) (envelope-from pch-b9D3CB0F5@u-1.phicoh.com) Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #157) id m1j9pbX-0000F6C; Thu, 5 Mar 2020 13:27:55 +0100 Message-Id: To: freebsd-net@freebsd.org Subject: Re: Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain) From: Philip Homburg Sender: pch-b9D3CB0F5@u-1.phicoh.com In-reply-to: Your message of "Wed, 4 Mar 2020 21:10:09 +0100 ." <523BA6CF-C2C3-4E55-B81C-CB8816E56DDE@neveragain.de> Date: Thu, 05 Mar 2020 13:27:54 +0100 X-Rspamd-Queue-Id: 48Y9520rmvz46Zy X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of pch-b9D3CB0F5@u-1.phicoh.com has no SPF policy when checking 2001:888:1044:10:2a0:c9ff:fe9f:17a9) smtp.mailfrom=pch-b9D3CB0F5@u-1.phicoh.com X-Spamd-Result: default: False [1.66 / 15.00]; ARC_NA(0.00)[]; SUBJECT_ENDS_SPACES(0.50)[]; NEURAL_HAM_MEDIUM(-0.05)[-0.052,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[phicoh.com]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.01)[0.012,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[pch-fbsd-2@u-1.phicoh.com,pch-b9D3CB0F5@u-1.phicoh.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3265, ipnet:2001:888::/32, country:NL]; FROM_NEQ_ENVFROM(0.00)[pch-fbsd-2@u-1.phicoh.com,pch-b9D3CB0F5@u-1.phicoh.com]; IP_SCORE(-0.00)[asn: 3265(-0.03), country: NL(0.03)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2020 12:28:08 -0000 In your letter dated Wed, 4 Mar 2020 21:10:09 +0100 you wrote: >This flag was introduced in a 2008 Security Advisory, because "non-neighbors" >could abuse Neighbor Discovery to potentially cause denial-of-service situatio >ns. >In my situation it caused valid Neighbor Solicitation packets from my provider > to be silently dropped, making the connection effectively unusable. In theory, the onlink status of a prefix should be announced in in router advertisements and should be consistent across all nodes on a subnet. In that sense, if this check fails then the network is misconfigured. (In the real world we can assume that many networks are misconfigured). That said, there is a specific check in processing Neighbor Discovery packets that the hop limit is equal to 255. In that sense any node that manages to send a packet with hop limit 255 is a neighbor, so I don't quite see how there could be an attack by non-neighbors.