At Sun, 20 Jul 2014 02:04:10 -0700, Loganaden Velvindron <lo...@elandsys.com> wrote:
> Security Considerations > > This protocol shares the security issues of ICMPv6 that are > documented in the "Security Considerations" section of [5]. > > This protocol has the potential of revealing information useful to a > would-be attacker. An implementation of this protocol MUST have a > default configuration that refuses to answer queries from global- > scope [3] addresses. > > I suggest that we switch to 0 by default to be more RFC compliant. Are you referring to the value of '(V_)icmp6_nodeinfo'? If so, and to be compliant with the above MUST of the RFC, it doesn't seem to have to be 0; it only has to have the ICMP6_NODEINFO_GLOBALOK bit cleared: /* * Validate IPv6 source address. * The default configuration MUST be to refuse answering queries from * global-scope addresses according to RFC4602. * Notes: * - it's not very clear what "refuse" means; this implementation * simply drops it. * - it's not very easy to identify global-scope (unicast) addresses * since there are many prefixes for them. It should be safer * and in practice sufficient to check "all" but loopback and * link-local (note that site-local unicast was deprecated and * ULA is defined as global scope-wise) */ if ((V_icmp6_nodeinfo & ICMP6_NODEINFO_GLOBALOK) == 0 && !IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) && !IN6_IS_ADDR_LINKLOCAL(&ip6->ip6_src)) goto bad; and the default value already seems to meet this condition: VNET_DEFINE(int, icmp6_nodeinfo) = (ICMP6_NODEINFO_FQDNOK|ICMP6_NODEINFO_NODEADDROK); -- JINMEI, Tatuya _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"