Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 6 Mar 2020 08:16:01 +0100
From:      =?utf-8?Q?Dennis_K=C3=B6gel?= <dk@neveragain.de>
To:        Philip Homburg <pch-fbsd-2@u-1.phicoh.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain)
Message-ID:  <97992D2A-CE25-44DB-8441-1C2F3A43C1B2@neveragain.de>
In-Reply-To: <m1j9pbX-0000F6C@stereo.hq.phicoh.net>
References:  <m1j9pbX-0000F6C@stereo.hq.phicoh.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Am 05.03.2020 um 13:27 schrieb Philip Homburg =
<pch-fbsd-2@u-1.phicoh.com>:
> In your letter dated Wed, 4 Mar 2020 21:10:09 +0100 you wrote:
>> This flag was introduced in a 2008 Security Advisory, because =
"non-neighbors"=20
>> could abuse Neighbor Discovery to potentially cause denial-of-service =
situatio
>> ns.
>> In my situation it caused valid Neighbor Solicitation packets from my =
provider
>> to be silently dropped, making the connection effectively unusable.
>=20
> In theory, the onlink status of a prefix should be announced in in=20
> router advertisements and should be consistent across all nodes on a
> subnet. In that sense, if this check fails then the network is =
misconfigured.

Good point, and probably an indication that my provider's setup is =
broken. But in terms of RFC-perspective, RAs and ND are not strictly =
related, I believe - for example, prefixes might have been configured =
manually (?).

> That said, there is a specific check in processing Neighbor Discovery =
packets
> that the hop limit is equal to 255. In that sense any node that =
manages to
> send a packet with hop limit 255 is a neighbor, so I don't quite see =
how there
> could be an attack by non-neighbors.

Exactly, that's where I couldn't understand the Advisory. Though it =
seems to focus in router nodes, and not host nodes.

- D.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?97992D2A-CE25-44DB-8441-1C2F3A43C1B2>