From owner-freebsd-net@FreeBSD.ORG Sat Oct 18 16:30:33 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8BE0DF19; Sat, 18 Oct 2014 16:30:33 +0000 (UTC) Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3BBE3F61; Sat, 18 Oct 2014 16:30:33 +0000 (UTC) Received: by mail-qg0-f48.google.com with SMTP id i50so1826330qgf.21 for ; Sat, 18 Oct 2014 09:30:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ZsSaUqgtCKJOwzAEu4ZBnzoUQAegJqCXyj2HjPbl5jQ=; b=c2d+RIozjugD6eoKNcOx0pBjRRlrkpAYgAcclqliRC86fgKaY5UqHeSbnTpASk4edE qQ0uSAgylr775b2mOrYMJESO6wPOyFhq99OwMcHJtODC/IdquiaAxeP7aboT4Z401RpV /W+B5Gle8OHZ6v02kzNSx928JPqDJxx4tIJkz22+cQQ2lzBIfcX2wm5k/rmUJHrgQP7w uea29QF0Ib7QRzimVbQZsDuoDcnDqvZ1zwX/tCs1gQzgbzFZXRoy88naLRC0peZA11wJ fdd3aDaCKztMK3upOwrS5XfXe76WdUizNuZG1IBNsQf+NvIeH0ruhFrhdUoULPEtuCQe C3UA== MIME-Version: 1.0 X-Received: by 10.140.23.116 with SMTP id 107mr20236707qgo.73.1413649832215; Sat, 18 Oct 2014 09:30:32 -0700 (PDT) Received: by 10.140.37.6 with HTTP; Sat, 18 Oct 2014 09:30:32 -0700 (PDT) In-Reply-To: <20141018.143919.1930138986692891609.hrs@allbsd.org> References: <20141018.143919.1930138986692891609.hrs@allbsd.org> Date: Sat, 18 Oct 2014 09:30:32 -0700 Message-ID: Subject: Re: IPv6 stacks responds to all node link local multicast NS From: prabhakar lakhera To: Hiroki Sato Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Oct 2014 16:30:33 -0000 Like I said before, it is not per RFC. It is trivial to derive solicited node multicast address from the target IP, so If someone were to launch a flood attack to poison cache entry for X host by sending Address resolution request for all other local hosts in the network, with NS's source IP=X's IP and with source link layer info=attacker's MAC, computing sol node multicast for each target will make it only slightly costly, so I am not sure if security could be of concern here. The other concern is if it can be a compliance issue given the NS packet format described by the RFC. Also the comment in the code suggests what RFC says but the check is more liberal. Also why it is different for DAD NS vs Neighbor resolution NS. On Friday, October 17, 2014, Hiroki Sato wrote: > prabhakar lakhera > wrote > in >: > > pr> This probably is more of a compliance issue (or may be not as the NS > pr> receipt section of RFC 4861 http://tools.ietf.org/html/rfc4861#page-62 > does > pr> not talk about it). > pr> > pr> The neighbor solicitation message format says this: > pr> > pr> http://tools.ietf.org/html/rfc4861#page-22 > pr> > pr> > pr> Destination Address > pr> Either the solicited-node multicast address > pr> corresponding to the target address, or the target > pr> address. > pr> > pr> > pr> Is it safe to assume that this is a MUST? > pr> If yes, nd6_ns_input right now only checks if the destination is a > pr> multicast or not (the check is more strict for DAD NS packets) and > pr> therefore allows all node link local multicast address resolution NS > pr> packets and process them completely (creates neighbor cache, responds > pr> with NA etc). > > What is the problem when accepting NS messages to ff02::1? > > -- Hiroki >