Re: git: b73183d1a243 - main - ipv6: disable RFC 4620 nodeinfo by default

Reply: Ed Maste : "Re: git: b73183d1a243 - main - ipv6: disable RFC 4620 nodeinfo by default"
In reply to: Ed Maste : "git: b73183d1a243 - main - ipv6: disable RFC 4620 nodeinfo by default"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Bjoern A. Zeeb <bz_at_FreeBSD.org>
Date: Mon, 26 Jun 2023 10:28:03 UTC

On Wed, 26 Apr 2023, Ed Maste wrote:

Hi,

sorry for the late reply.

> The branch main has been updated by emaste:
>
> URL: https://cgit.FreeBSD.org/src/commit/?id=b73183d1a243d486e3889bd71800e94812f5fa17
>
> commit b73183d1a243d486e3889bd71800e94812f5fa17
> Author:     Ed Maste <emaste@FreeBSD.org>
> AuthorDate: 2023-04-24 19:41:45 +0000
> Commit:     Ed Maste <emaste@FreeBSD.org>
> CommitDate: 2023-04-26 17:47:59 +0000
>
>    ipv6: disable RFC 4620 nodeinfo by default
>
>    RFC 4620 is an experimental RFC that can be used to request information
>    about a host, including:
>
>    - the fully-qualified or single-component name
>    - some set of the Responder's IPv6 unicast addresses
>    - some set of the Responder's IPv4 unicast addresses
>
>    This is not something that should be made available by default.

187069853c6565693b82dc7d2d31de68c2be32c2 already added the flag to not
reply to global addresses (see nd6_input check).  So by default we were
only replying to loopback and link-local.

Finding the slides of the talk mentioned in the PR was informational
material (advise) only but no real problem shown.

The Apple problem is slightly different and I wonder (a) if replying
fqdn is considered not a problem still, and (b) is we do interface
validation for sending out (link-local) ICMPv6 replies?

Has OpenBSD changed it from 1 to 0 as well by now?

If we have any doubts I would highly suggest to also handle the default
case: around sys/netinet6/icmp6.c line 1404 some better as I assume that
with the current code not having spent much time reading it, it is still
possible to get the "FQDN" by sending an unknown qtype?   Would be nice
to have a test case for that...

>    PR:             257709
>    Submitted by:   ruben@verweg.com
>    Reviewed by:    melifaro
>    Relnotes:       Yes
>    Sponsored by:   The FreeBSD Foundation
>    Differential Revision: https://reviews.freebsd.org/D39778
> ---
> sys/netinet6/in6_proto.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c
> index 971b61c74899..557edaf2e7e1 100644
> --- a/sys/netinet6/in6_proto.c
> +++ b/sys/netinet6/in6_proto.c
> @@ -193,8 +193,7 @@ VNET_DEFINE(int, icmp6_rediraccept) = 1;/* accept and process redirects */
> VNET_DEFINE(int, icmp6_redirtimeout) = 10 * 60;	/* 10 minutes */
> VNET_DEFINE(int, icmp6errppslim) = 100;		/* 100pps */
> /* control how to respond to NI queries */
> -VNET_DEFINE(int, icmp6_nodeinfo) =
> -    (ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK);
> +VNET_DEFINE(int, icmp6_nodeinfo) = 0;
> VNET_DEFINE(int, icmp6_nodeinfo_oldmcprefix) = 1;
>
> VNET_DEFINE_STATIC(int, ip6_log_interval) = 5;
>

-- 
Bjoern A. Zeeb                                                     r15:7