| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LRH.2.00.0810021048040.11598@netcore.fi> Date: Thu, 2 Oct 2008 11:07:48 +0300 (EEST) From: Pekka Savola <pekkas@...core.fi> To: netdev@...r.kernel.org Subject: Neighbor Discovery from non-neighbors (fwd) There is a bug in the Neighbor Discovery spec, and it's possible that Linux would also be similarly affected. Anyone check? For background discussion see: http://www.ietf.org/mail-archive/web/ipv6/current/msg09544.html ---------- Forwarded message ---------- Date: Thu, 2 Oct 2008 10:08:07 +0300 (EEST) From: Pekka Savola <pekkas@...core.fi> To: ipv6@...f.org Subject: Neighbor Discovery from non-neighbors FYI, http://security.freebsd.org/advisories/FreeBSD-SA-08:10.nd6.asc "IPv6 routers may allow "on-link" IPv6 nodes to create and update the router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowing it to update router information for the victim node." ... "NOTE WELL: The solution described below causes IPv6 Neighbor Discovery Neighbor Solicitation messages from non-neighbors to be ignored. This can be re-enabled if required by setting the newly added net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to a non-zero value." + /* + * According to recent IETF discussions, it is not a good idea + * to accept a NS from an address which would not be deemed + * to be a neighbor otherwise. This point is expected to be + * clarified in future revisions of the specification. + */ I wonder if off-list discussion qualifies as "IETF discussion". Or has this been raised on a list somewhere? http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/nd6_nbr.c.diff?r1=1.52;r2=1.53 I guess we have a problem. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@...f.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 -------------------------------------------------------------------- -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists