Date: Tue, 22 Jul 2014 10:01:50 -0700 From: Loganaden Velvindron <logan@elandsys.com> To: Jinmei <jinmei@wide.ad.jp> Cc: freebsd-net@freebsd.org, bz@freebsd.org, gnn@freebsd.org Subject: Re: IPv6 nodeinfo default behaviour Message-ID: <20140722170150.GA971@mx.elandsys.com> In-Reply-To: <CAJE_bqexFJJBNQNt5-2YJ-PK%2B=1Hux0r0avMFAuX1bS5mZCT%2Bg@mail.gmail.com> References: <20140720090410.GA7990@mx.elandsys.com> <CAJE_bqexFJJBNQNt5-2YJ-PK%2B=1Hux0r0avMFAuX1bS5mZCT%2Bg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 22, 2014 at 09:53:13AM -0700, ???? wrote: > At Sun, 20 Jul 2014 02:04:10 -0700, > Loganaden Velvindron <logan@elandsys.com> wrote: > > > Security Considerations > > > > This protocol shares the security issues of ICMPv6 that are > > documented in the "Security Considerations" section of [5]. > > > > This protocol has the potential of revealing information useful to a > > would-be attacker. An implementation of this protocol MUST have a > > default configuration that refuses to answer queries from global- > > scope [3] addresses. > > > > I suggest that we switch to 0 by default to be more RFC compliant. > > Are you referring to the value of '(V_)icmp6_nodeinfo'? I'm referring to the sysctl: net.inet6.icmp6.nodeinfo. In FreeBSD it's 3 by default. OpenBSD switched it to 0, then later removed it completely. I think that it's sensible to turn it to 0 by default, unless you need it. > > If so, and to be compliant with the above MUST of the RFC, it doesn't > seem to have to be 0; it only has to have the ICMP6_NODEINFO_GLOBALOK > bit cleared: > > /* > * Validate IPv6 source address. > * The default configuration MUST be to refuse answering queries from > * global-scope addresses according to RFC4602. > * Notes: > * - it's not very clear what "refuse" means; this implementation > * simply drops it. > * - it's not very easy to identify global-scope (unicast) addresses > * since there are many prefixes for them. It should be safer > * and in practice sufficient to check "all" but loopback and > * link-local (note that site-local unicast was deprecated and > * ULA is defined as global scope-wise) > */ > if ((V_icmp6_nodeinfo & ICMP6_NODEINFO_GLOBALOK) == 0 && > !IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) && > !IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src)) > goto bad; > > and the default value already seems to meet this condition: > > VNET_DEFINE(int, icmp6_nodeinfo) = > (ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK); > > -- > JINMEI, Tatuya > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140722170150.GA971>