Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain)
Dennis Kögel
dk at neveragain.de
Fri Mar 6 07:16:05 UTC 2020
Am 05.03.2020 um 13:27 schrieb Philip Homburg <pch-fbsd-2 at u-1.phicoh.com>:
> In your letter dated Wed, 4 Mar 2020 21:10:09 +0100 you wrote:
>> This flag was introduced in a 2008 Security Advisory, because "non-neighbors"
>> could abuse Neighbor Discovery to potentially cause denial-of-service situatio
>> ns.
>> In my situation it caused valid Neighbor Solicitation packets from my provider
>> to be silently dropped, making the connection effectively unusable.
>
> In theory, the onlink status of a prefix should be announced in in
> router advertisements and should be consistent across all nodes on a
> subnet. In that sense, if this check fails then the network is misconfigured.
Good point, and probably an indication that my provider's setup is broken. But in terms of RFC-perspective, RAs and ND are not strictly related, I believe - for example, prefixes might have been configured manually (?).
> That said, there is a specific check in processing Neighbor Discovery packets
> that the hop limit is equal to 255. In that sense any node that manages to
> send a packet with hop limit 255 is a neighbor, so I don't quite see how there
> could be an attack by non-neighbors.
Exactly, that's where I couldn't understand the Advisory. Though it seems to focus in router nodes, and not host nodes.
- D.
More information about the freebsd-net
mailing list