At Fri, 3 Oct 2008 19:36:12 -0400, "Hemant Singh (shemant)" <[EMAIL PROTECTED]> wrote:
> After, Erik Nordmark, Thomas Narten, myself, and Wes Beebee discussed > the issue you brought to v6ops @ IETF and we summarized that your issue > will not be able to touch the router forwarding tables, why did anyone > post a security warning to FeeeBSD with totally erroneous data? > > We never agreed during discussions in IETF that there was a security > problem. All that happens with the issue you raised is creation of a > bogus entry in the router or node ND-cache. > > I don't consider the following data (shown in square brackets) in the > BSD security posting as valid: You seem to forget the fact that the FreeBSD security advisory generally talks about that particular implementation. Anything written there is true, if you read it in the context of the FreeBSD implementation (as an extreme example, a PC router that runs an unmodified FreeBSD kernel). I believe people normally interpret this document in the correct context and won't be confused. You also seem to be trapped in a specific router implementation model where neighbor cache entries and forwarding tables are clearly separated and the latter doesn't affect the former. As far as I understand it, such a model is not a protocol-level requirement, but just an implementation choice. And, in fact, the FreeBSD kernel (or BSD implementations in general) tightly couples the ARP/ND tables with the forwarding table, so if a bogus entry is inserted in the former, it will affect forwarding behavior. As mentioned in the first paragraph, a PC router using a vanilla FreeBSD kernel behaves that way. I won't surprised even other commercial routers that use a customized BSD kernel have the same problem. --- JINMEI, Tatuya Internet Systems Consortium, Inc. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------