Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 15 Sep 1998 01:13:17 +0200
From:      sthaug@nethelp.no
To:        tlambert@primenet.com
Cc:        hackers@FreeBSD.ORG, questions@FreeBSD.ORG
Subject:   Re: problem using 3 x znyx314 cards for 12 de ethernets
Message-ID:  <10256.905814797@verdi.nethelp.no>
In-Reply-To: Your message of "Sun, 13 Sep 1998 23:03:26 %2B0000 (GMT)"
References:  <199809132303.QAA21895@usr04.primenet.com>

next in thread | previous in thread | raw e-mail | index | archive | help
> > static int	icmpbmcastecho = 1;
> > SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho,
> > 	   0, "");
> > 
> > I believe it should be turned *off* by default, and hope this is fixed
> > before 3.0 is released.
> 
> Being off by default would break SLP and IPv6 autodetection for
> address assignment.

When you say SLP, I assume you're talking about RFC 2165. From my
reading of RFC 2165, multicast is preferred:

   The Service Location discovery mechanisms typically multicast
   messages to as many enterprise networks as needed to establish
   service availability.  The protocol will operate in a broadcast  
   environment with limitations detailed in section 3.6.1.

It says that Service Agents must listen to the IP broadcast address, but
I assume there are considerably fewer Service Agents than User Agents,
and explicitly configuring them to listen to the IP broadcast address
would not seem to be an undue hardship.

As far as I can see, IPv6 autodetection uses multicast, not broadcast. 
Also, since the FreeBSD TCP/IP stack currently doesn't implement IPv6,
I find it hard to use this as a very strong argument.

My conclusion is that we probably need separate sysctl variables for
"multicast echo" and "broadcast echo", with the former defaulting to
on, and the latter to off. Yes, I volunteer to do this if there is
any interest.

> Certainly, you should be able to turn it off, but the correct place
> to block DOS broadcast ping attacks is your firewall.

I agree that this is the best place for it - but I'd also like FreeBSD
systems to be secure against smurf attacks out of the box, even if the
router/firewall/whatever lets IP broadcast through (and translates it
to link-level broadcast).

Steinar Haug, Nethelp consulting, sthaug@nethelp.no

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10256.905814797>