On Tue, 15 Nov 2016, Alexis Rosen wrote:
As far as I can tell, this is an editing error of some sort, and in
fact you can NOT trigger the issue simply by having an IPv6 address
reachable with an ICMP.
Ah, what's the basis for that? I looked at the code, and that security
claim seemed possible.
Later in the advisory, it says:
Usage of Quagga without running the 'zebra' daemon, or no
IPv6 neighbor-discovery are not affected.
A quick look at the code also suggests this is so, but my familiarity
with this code is basically nil, and it would be very easy for me to
get this wrong.
The code concerned is all the zebra daemon, so that's correct. The code
that reads the message is only enabled if the zebra RA/ND feature is.
Note, you could have the kernel IPv6 ND/SLAC enabled, and be fine - it's
about the zebra feature. That's also not 100% clear.
regards,
--
Paul Jakma | p...@jakma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A
Fortune:
hardware stress fractures
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev
