Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain)
Philip Homburg
pch-fbsd-2 at u-1.phicoh.com
Thu Mar 5 12:28:08 UTC 2020
In your letter dated Wed, 4 Mar 2020 21:10:09 +0100 you wrote:
>This flag was introduced in a 2008 Security Advisory, because "non-neighbors"
>could abuse Neighbor Discovery to potentially cause denial-of-service situatio
>ns.
>In my situation it caused valid Neighbor Solicitation packets from my provider
> to be silently dropped, making the connection effectively unusable.
In theory, the onlink status of a prefix should be announced in in
router advertisements and should be consistent across all nodes on a
subnet. In that sense, if this check fails then the network is misconfigured.
(In the real world we can assume that many networks are misconfigured).
That said, there is a specific check in processing Neighbor Discovery packets
that the hop limit is equal to 255. In that sense any node that manages to
send a packet with hop limit 255 is a neighbor, so I don't quite see how there
could be an attack by non-neighbors.
More information about the freebsd-net
mailing list