[Bug 224247] RFC 6980 requires to drop fragmented IPv6 neighbour discovery
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Dec 11 14:55:29 UTC 2017
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224247
Bug ID: 224247
Summary: RFC 6980 requires to drop fragmented IPv6 neighbour
discovery
Product: Base System
Version: 11.1-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: lutz at donnerhacke.de
Created attachment 188720
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=188720&action=edit
Drop malicious packets as required by RFC 6980
RFC6980 says:
---8<---
Nodes MUST silently ignore the following Neighbor Discovery and
SEcure Neighbor Discovery messages if the packets carrying them
include an IPv6 Fragmentation Header:
o Neighbor Solicitation
o Neighbor Advertisement
o Router Solicitation
o Router Advertisement
o Redirect
o Certification Path Solicitation
Nodes SHOULD normally process the following messages when the packets
carrying them include an IPv6 Fragmentation Header:
o Certification Path Advertisement
SEND nodes SHOULD NOT employ keys that would result in fragmented CPA
messages.
---8<---
A recent talk about this RFC showed, that FreeBSD fails in all respects to
fulfill the minimal protection:
http://www.denog.de/de/meetings/denog9/agenda.html#rfc6980
I hope, that the attached patch does fix the issue:
- Fragment handling becomes a protocol specific mbuf-flag.
- At detailed protocol level silent drop is implemented.
- Certification Path messages are unsupported,
so no sysctl to deal with the SHOULD is needed.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list