Date: Thu, 05 Mar 2020 13:27:54 +0100 From: Philip Homburg <pch-fbsd-2@u-1.phicoh.com> To: freebsd-net@freebsd.org Subject: Re: Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain) Message-ID: <m1j9pbX-0000F6C@stereo.hq.phicoh.net> In-Reply-To: Your message of "Wed, 4 Mar 2020 21:10:09 %2B0100 ." <523BA6CF-C2C3-4E55-B81C-CB8816E56DDE@neveragain.de>
next in thread | previous in thread | raw e-mail | index | archive | help
In your letter dated Wed, 4 Mar 2020 21:10:09 +0100 you wrote: >This flag was introduced in a 2008 Security Advisory, because "non-neighbors" >could abuse Neighbor Discovery to potentially cause denial-of-service situatio >ns. >In my situation it caused valid Neighbor Solicitation packets from my provider > to be silently dropped, making the connection effectively unusable. In theory, the onlink status of a prefix should be announced in in router advertisements and should be consistent across all nodes on a subnet. In that sense, if this check fails then the network is misconfigured. (In the real world we can assume that many networks are misconfigured). That said, there is a specific check in processing Neighbor Discovery packets that the hop limit is equal to 255. In that sense any node that manages to send a packet with hop limit 255 is a neighbor, so I don't quite see how there could be an attack by non-neighbors.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m1j9pbX-0000F6C>