Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain)

[Dennis Kögel]

Dear all,

Am 05.03.2020 um 13:27 schrieb Philip Homburg <pch-fbsd-2 at u-1.phicoh.com>:
> In your letter dated Wed, 4 Mar 2020 21:10:09 +0100 you wrote:
>> This flag was introduced in a 2008 Security Advisory, because "non-neighbors" 
>> could abuse Neighbor Discovery to potentially cause denial-of-service situatio
>> ns.
>> In my situation it caused valid Neighbor Solicitation packets from my provider
>> to be silently dropped, making the connection effectively unusable.
> [...]
> That said, there is a specific check in processing Neighbor Discovery packets
> that the hop limit is equal to 255. In that sense any node that manages to
> send a packet with hop limit 255 is a neighbor, so I don't quite see how there
> could be an attack by non-neighbors.

some time has passed, therefore I'd like to ask if and how we should proceed on this issue.

AFAICT nobody came up with a good reason to keep the current default, at least for host nodes.

Given that the default causes weird issues in some few environments, it puts FreeBSD at a disadvantage -- other OS, even some other BSDs, "just work".
Another factor is that this problem appears only intermittently and is very not-obvious to figure out.

Basically,
1) change default to NOT ignore those NSol requests -- or
2) always print the corresponding warning message (instead of debug=1) -- or
3) do nothing.

I'm not too familiar with FreeBSD procedures, should I open an issue in bugzilla? And/or submit a patch?

Thanks in advance,
- D.