FYI,
http://security.freebsd.org/advisories/FreeBSD-SA-08:10.nd6.asc
"IPv6 routers may allow "on-link" IPv6 nodes to create and update the
router's neighbor cache and forwarding information. A malicious IPv6
node sharing a common router but on a different physical segment from
another node may be able to spoof Neighbor Discovery messages,
allowing it to update router information for the victim node."
...
"NOTE WELL: The solution described below causes IPv6 Neighbor
Discovery Neighbor Solicitation messages from non-neighbors to be
ignored. This can be re-enabled if required by setting the newly added
net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to a non-zero value."
+ /*
+ * According to recent IETF discussions, it is not a good idea
+ * to accept a NS from an address which would not be deemed
+ * to be a neighbor otherwise. This point is expected to be
+ * clarified in future revisions of the specification.
+ */
I wonder if off-list discussion qualifies as "IETF discussion". Or
has this been raised on a list somewhere?
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/nd6_nbr.c.diff?r1=1.52;r2=1.53
I guess we have a problem.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------