From owner-freebsd-net@freebsd.org Fri Mar 6 09:20:04 2020 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4B8AA263C12 for ; Fri, 6 Mar 2020 09:20:04 +0000 (UTC) (envelope-from pch-b9D3CB0F5@u-1.phicoh.com) Received: from stereo.hq.phicoh.net (stereo6-tun.hq.phicoh.net [IPv6:2001:888:1044:10:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48YhsZ2VBPz4jBS for ; Fri, 6 Mar 2020 09:20:01 +0000 (UTC) (envelope-from pch-b9D3CB0F5@u-1.phicoh.com) Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #157) id m1jA99C-0000MvC; Fri, 6 Mar 2020 10:19:58 +0100 Message-Id: To: freebsd-net@freebsd.org Cc: =?utf-8?Q?Dennis_K=C3=B6gel?= Subject: Re: Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain) From: Philip Homburg Sender: pch-b9D3CB0F5@u-1.phicoh.com References: <97992D2A-CE25-44DB-8441-1C2F3A43C1B2@neveragain.de> In-reply-to: Your message of "Fri, 6 Mar 2020 08:16:01 +0100 ." <97992D2A-CE25-44DB-8441-1C2F3A43C1B2@neveragain.de> Date: Fri, 06 Mar 2020 10:19:57 +0100 X-Rspamd-Queue-Id: 48YhsZ2VBPz4jBS X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of pch-b9D3CB0F5@u-1.phicoh.com has no SPF policy when checking 2001:888:1044:10:2a0:c9ff:fe9f:17a9) smtp.mailfrom=pch-b9D3CB0F5@u-1.phicoh.com X-Spamd-Result: default: False [0.42 / 15.00]; ARC_NA(0.00)[]; SUBJECT_ENDS_SPACES(0.50)[]; NEURAL_HAM_MEDIUM(-0.75)[-0.747,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-0.53)[-0.530,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[phicoh.com]; AUTH_NA(1.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[pch-fbsd-2@u-1.phicoh.com,pch-b9D3CB0F5@u-1.phicoh.com]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3265, ipnet:2001:888::/32, country:NL]; FROM_NEQ_ENVFROM(0.00)[pch-fbsd-2@u-1.phicoh.com,pch-b9D3CB0F5@u-1.phicoh.com]; IP_SCORE(-0.00)[asn: 3265(-0.03), country: NL(0.03)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Mar 2020 09:20:04 -0000 > Good point, and probably an indication that my provider's setup is > broken. But in terms of RFC-perspective, RAs and ND are not strictly > related, I believe - for example, prefixes might have been configured > manually (?). Hmm, I forgot one case: NBMA (Non-broadcast multiple-access). A prefix may be marked off-link though it is actually onlink. In that case all traffic initially goes through the router. Then the router will send a redirect with the target's MAC address. So the conclusion has to be that a node has accept NS packets with a source address that is off-link. > Exactly, that's where I couldn't understand the Advisory. Though > it seems to focus in router nodes, and not host nodes. Maybe some systems do not properly separate the neighbor cache from the destination cache. Junk in the neighbor cache should not affect the destination cache. So a node may be able to claim an address that is not onlink in the neighbor cache. But the destination cache should always have the right entry so the neighbor cache entry is ignored. I can imagine that if a system confuses the two then attacks are possible.