At Sun, 20 Jul 2014 02:04:10 -0700,
Loganaden Velvindron <lo...@elandsys.com> wrote:
> Security Considerations
>
> This protocol shares the security issues of ICMPv6 that are
> documented in the "Security Considerations" section of [5].
>
> This protocol has the potential of revealing information useful to a
> would-be attacker. An implementation of this protocol MUST have a
> default configuration that refuses to answer queries from global-
> scope [3] addresses.
>
> I suggest that we switch to 0 by default to be more RFC compliant.
Are you referring to the value of '(V_)icmp6_nodeinfo'?
If so, and to be compliant with the above MUST of the RFC, it doesn't
seem to have to be 0; it only has to have the ICMP6_NODEINFO_GLOBALOK
bit cleared:
/*
* Validate IPv6 source address.
* The default configuration MUST be to refuse answering queries from
* global-scope addresses according to RFC4602.
* Notes:
* - it's not very clear what "refuse" means; this implementation
* simply drops it.
* - it's not very easy to identify global-scope (unicast) addresses
* since there are many prefixes for them. It should be safer
* and in practice sufficient to check "all" but loopback and
* link-local (note that site-local unicast was deprecated and
* ULA is defined as global scope-wise)
*/
if ((V_icmp6_nodeinfo & ICMP6_NODEINFO_GLOBALOK) == 0 &&
!IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) &&
!IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src))
goto bad;
and the default value already seems to meet this condition:
VNET_DEFINE(int, icmp6_nodeinfo) =
(ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK);
--
JINMEI, Tatuya
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
