IPv6 nodeinfo default behaviour

Loganaden Velvindron logan at elandsys.com
Tue Jul 22 17:01:54 UTC 2014 

On Tue, Jul 22, 2014 at 09:53:13AM -0700, ???? wrote:
> At Sun, 20 Jul 2014 02:04:10 -0700,
> Loganaden Velvindron <logan at elandsys.com> wrote:
> 
> >  Security Considerations
> >
> >    This protocol shares the security issues of ICMPv6 that are
> >    documented in the "Security Considerations" section of [5].
> >
> >    This protocol has the potential of revealing information useful to a
> >    would-be attacker.  An implementation of this protocol MUST have a
> >    default configuration that refuses to answer queries from global-
> >    scope [3] addresses.
> >
> > I suggest that we switch to 0 by default to be more RFC compliant.
> 
> Are you referring to the value of '(V_)icmp6_nodeinfo'?

I'm referring to the sysctl:

net.inet6.icmp6.nodeinfo.

In FreeBSD it's 3 by default. OpenBSD switched it to 0, then later
removed it completely.

I think that it's sensible to turn it to 0 by default, unless you need
it.


> 
> If so, and to be compliant with the above MUST of the RFC, it doesn't
> seem to have to be 0; it only has to have the ICMP6_NODEINFO_GLOBALOK
> bit cleared:
> 
>     /*
>      * Validate IPv6 source address.
>      * The default configuration MUST be to refuse answering queries from
>      * global-scope addresses according to RFC4602.
>      * Notes:
>      *  - it's not very clear what "refuse" means; this implementation
>      *    simply drops it.
>      *  - it's not very easy to identify global-scope (unicast) addresses
>      *    since there are many prefixes for them.  It should be safer
>      *    and in practice sufficient to check "all" but loopback and
>      *    link-local (note that site-local unicast was deprecated and
>      *    ULA is defined as global scope-wise)
>      */
>     if ((V_icmp6_nodeinfo & ICMP6_NODEINFO_GLOBALOK) == 0 &&
>         !IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) &&
>         !IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src))
>         goto bad;
> 
> and the default value already seems to meet this condition:
> 
> VNET_DEFINE(int, icmp6_nodeinfo) =
>     (ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK);
> 
> --
> JINMEI, Tatuya
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

More information about the freebsd-net mailing list