[Bug 224247] RFC 6980 requires to drop fragmented IPv6 neighbour discovery

Mon Dec 11 14:55:29 UTC 2017

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224247

            Bug ID: 224247
           Summary: RFC 6980 requires to drop fragmented IPv6 neighbour
                    discovery
           Product: Base System
           Version: 11.1-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: lutz at donnerhacke.de

Created attachment 188720
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=188720&action=edit
Drop malicious packets as required by RFC 6980

RFC6980 says:
---8<---
   Nodes MUST silently ignore the following Neighbor Discovery and
   SEcure Neighbor Discovery messages if the packets carrying them
   include an IPv6 Fragmentation Header:

   o  Neighbor Solicitation

   o  Neighbor Advertisement

   o  Router Solicitation

   o  Router Advertisement

   o  Redirect

   o  Certification Path Solicitation

   Nodes SHOULD normally process the following messages when the packets
   carrying them include an IPv6 Fragmentation Header:

   o  Certification Path Advertisement

   SEND nodes SHOULD NOT employ keys that would result in fragmented CPA
   messages.
---8<---

A recent talk about this RFC showed, that FreeBSD fails in all respects to
fulfill the minimal protection:
http://www.denog.de/de/meetings/denog9/agenda.html#rfc6980

I hope, that the attached patch does fix the issue:
 - Fragment handling becomes a protocol specific mbuf-flag.
 - At detailed protocol level silent drop is implemented.
 - Certification Path messages are unsupported,
   so no sysctl to deal with the SHOULD is needed.

-- 
You are receiving this mail because:
You are the assignee for the bug.