[Bug 263288] IPv6 system not responding to Neighbor Solicitation

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263288

--- Comment #16 from Zhenlei Huang <zlei.huang@gmail.com> ---
(In reply to wcarson.bugzilla from comment #15)
From the pcap you provided, I see your upstream router is advertising prefix
without the 'on-link' flag. It is basically same as my testing environment #12
except that your provider utilize HSRP to achieve first hop router failover.

I can confirm CentOS 8 work greatly with such case. It seems Linux is not
affected by CVE-2008-2476.

The problem is a little complicated. If it is a good practice for network admin
to advertise IPv6 prefix without 'on-link' flag, I think the problem will be
common eventually. As `net.inet6.icmp6.nd6_onlink_ns_rfc4861` has some side
effect, I wonder if there is better solution to resolve CVE-2008-2476.

The problem affects 12.3, 13.0, 13.1-RC4, stable/13 and current. To work around
it, set 'net.inet6.icmp6.nd6_onlink_ns_rfc4861' to none-zero.

As IPv6 addresses is sufficient, most cloud providers provide at least a single
dedicated /64 block to the customer. In this case I think CVE-2008-2476 could
not happen, thus it is safe for providers to advertise prefixes with 'on-link'
flag, or for FreeBSD users to change `net.inet6.icmp6.nd6_onlink_ns_rfc4861` to
none-zero.

@wcarson.bugzilla you can contact your provider to confirm if the prefix
2600:3c00::/64 is dedicated for your host.

-- 
You are receiving this mail because:
You are the assignee for the bug.