[Bug 257709] Have net.inet6.icmp6.nodeinfo set 0 by default for more security

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 257709] Have net.inet6.icmp6.nodeinfo set 0 by default for more security"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 09 Aug 2021 12:32:14 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=257709

            Bug ID: 257709
           Summary: Have net.inet6.icmp6.nodeinfo set 0 by default for
                    more security
           Product: Base System
           Version: 13.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: ruben@verweg.com

FreeBSD keeps net.inet6.icmp6.nodeinfo default at 3 (Respond to all queries)

To prevent information leakage that could be abused in other scenarios it
should be set to 0 by default.

e.g. with ping -c 1 -k acgslA <ll address obtained with ping  -Y
ff02::1%iface>%iface will show all addresses on all interfaces

background:

* http://www.cu.ipv6tf.org/pdf/fgont-bsdcan2010-ipv6-security.pdf slide 23
* How this information was used to escape an airgapped network
https://medium.com/sensorfu/escaping-from-a-truly-air-gapped-network-via-apple-awdl-6cf6f9ea3499

(Patched) MacOS seems to have this at 0 these days

-- 
You are receiving this mail because:
You are the assignee for the bug.