From owner-freebsd-net@freebsd.org  Fri Mar  6 07:16:05 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 25F2426176E
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Fri,  6 Mar 2020 07:16:05 +0000 (UTC)
 (envelope-from dk@neveragain.de)
Received: from mail.neveragain.de (mail.neveragain.de
 [IPv6:2a03:4000:28:6cc::25])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 48Yf6W0zHYz3Drn
 for <freebsd-net@freebsd.org>; Fri,  6 Mar 2020 07:16:02 +0000 (UTC)
 (envelope-from dk@neveragain.de)
Received: from [IPv6:2a02:908:113b:fb5c:b44d:9c3b:1d7a:bdf8] (unknown
 [IPv6:2a02:908:113b:fb5c:b44d:9c3b:1d7a:bdf8])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.neveragain.de (Postfix) with ESMTPSA id E1E69201CBA;
 Fri,  6 Mar 2020 08:16:00 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=neveragain.de;
 s=2015-10; t=1583478961;
 bh=zfcJuoAyHoaL6AIRSIdVVMOh0+xAbnLVe8Kp62lV19M=;
 h=Subject:From:In-Reply-To:Date:Cc:References:To;
 b=mPxwW3pn2hVPEDvK9EyN3ifSVaWpUhM2fWiw4G61bubWEJds5QbpiCvhIL1h6xGTI
 SgT7jQR/xPbIwwCMwGpLM9cJjOKPS7+IcdPx6bp2HmdDloUf0bDIefx6+vGXL5idyd
 T+0XzCKsfVSJOkuPGoNDqeCiYyGqmt7CoTCVLGZF2B5yGM6ognqGxWw5Vy9vrLOEEG
 MQUOuuevso9IBcFDIc152KLfz+glQ2S2gPJz5YmzEN/xATyc6o9ujQsKzup0qfzMAR
 nZRgZ+i7uV/TVACvL3poPqXViBjrBTlXpePttxeK7Mu/6BOjL9icSRbSUk32nJDQr/
 IMkL31QD1edaQ==
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Subject: Re: Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain)
From: =?utf-8?Q?Dennis_K=C3=B6gel?= <dk@neveragain.de>
In-Reply-To: <m1j9pbX-0000F6C@stereo.hq.phicoh.net>
Date: Fri, 6 Mar 2020 08:16:01 +0100
Cc: freebsd-net@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <97992D2A-CE25-44DB-8441-1C2F3A43C1B2@neveragain.de>
References: <m1j9pbX-0000F6C@stereo.hq.phicoh.net>
To: Philip Homburg <pch-fbsd-2@u-1.phicoh.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
X-Rspamd-Queue-Id: 48Yf6W0zHYz3Drn
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=neveragain.de header.s=2015-10 header.b=mPxwW3pn;
 dmarc=pass (policy=none) header.from=neveragain.de;
 spf=pass (mx1.freebsd.org: domain of dk@neveragain.de designates
 2a03:4000:28:6cc::25 as permitted sender) smtp.mailfrom=dk@neveragain.de
X-Spamd-Result: default: False [-2.84 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 R_DKIM_ALLOW(-0.20)[neveragain.de:s=2015-10];
 NEURAL_HAM_MEDIUM(-0.84)[-0.842,0]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+a:mail.neveragain.de];
 MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[neveragain.de:+]; RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[neveragain.de,none];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 IP_SCORE(-0.50)[ipnet: 2a03:4000::/32(-1.88), asn: 197540(-0.59), country:
 DE(-0.02)]; 
 ASN(0.00)[asn:197540, ipnet:2a03:4000::/32, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2020 07:16:05 -0000

Am 05.03.2020 um 13:27 schrieb Philip Homburg =
<pch-fbsd-2@u-1.phicoh.com>:
> In your letter dated Wed, 4 Mar 2020 21:10:09 +0100 you wrote:
>> This flag was introduced in a 2008 Security Advisory, because =
"non-neighbors"=20
>> could abuse Neighbor Discovery to potentially cause denial-of-service =
situatio
>> ns.
>> In my situation it caused valid Neighbor Solicitation packets from my =
provider
>> to be silently dropped, making the connection effectively unusable.
>=20
> In theory, the onlink status of a prefix should be announced in in=20
> router advertisements and should be consistent across all nodes on a
> subnet. In that sense, if this check fails then the network is =
misconfigured.

Good point, and probably an indication that my provider's setup is =
broken. But in terms of RFC-perspective, RAs and ND are not strictly =
related, I believe - for example, prefixes might have been configured =
manually (?).

> That said, there is a specific check in processing Neighbor Discovery =
packets
> that the hop limit is equal to 255. In that sense any node that =
manages to
> send a packet with hop limit 255 is a neighbor, so I don't quite see =
how there
> could be an attack by non-neighbors.

Exactly, that's where I couldn't understand the Advisory. Though it =
seems to focus in router nodes, and not host nodes.

- D.=