Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Jul 2014 09:53:13 -0700
From:      =?UTF-8?B?56We5piO6YGU5ZOJ?= <jinmei@wide.ad.jp>
To:        Loganaden Velvindron <logan@elandsys.com>
Cc:        FreeBSD Net <freebsd-net@freebsd.org>, bz@freebsd.org, gnn@freebsd.org
Subject:   Re: IPv6 nodeinfo default behaviour
Message-ID:  <CAJE_bqexFJJBNQNt5-2YJ-PK%2B=1Hux0r0avMFAuX1bS5mZCT%2Bg@mail.gmail.com>
In-Reply-To: <20140720090410.GA7990@mx.elandsys.com>
References:  <20140720090410.GA7990@mx.elandsys.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
At Sun, 20 Jul 2014 02:04:10 -0700,
Loganaden Velvindron <logan@elandsys.com> wrote:

>  Security Considerations
>
>    This protocol shares the security issues of ICMPv6 that are
>    documented in the "Security Considerations" section of [5].
>
>    This protocol has the potential of revealing information useful to a
>    would-be attacker.  An implementation of this protocol MUST have a
>    default configuration that refuses to answer queries from global-
>    scope [3] addresses.
>
> I suggest that we switch to 0 by default to be more RFC compliant.

Are you referring to the value of '(V_)icmp6_nodeinfo'?

If so, and to be compliant with the above MUST of the RFC, it doesn't
seem to have to be 0; it only has to have the ICMP6_NODEINFO_GLOBALOK
bit cleared:

    /*
     * Validate IPv6 source address.
     * The default configuration MUST be to refuse answering queries from
     * global-scope addresses according to RFC4602.
     * Notes:
     *  - it's not very clear what "refuse" means; this implementation
     *    simply drops it.
     *  - it's not very easy to identify global-scope (unicast) addresses
     *    since there are many prefixes for them.  It should be safer
     *    and in practice sufficient to check "all" but loopback and
     *    link-local (note that site-local unicast was deprecated and
     *    ULA is defined as global scope-wise)
     */
    if ((V_icmp6_nodeinfo & ICMP6_NODEINFO_GLOBALOK) == 0 &&
        !IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) &&
        !IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src))
        goto bad;

and the default value already seems to meet this condition:

VNET_DEFINE(int, icmp6_nodeinfo) =
    (ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK);

--
JINMEI, Tatuya

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJE_bqexFJJBNQNt5-2YJ-PK%2B=1Hux0r0avMFAuX1bS5mZCT%2Bg>