Discussion:
heads up: IPv6 routing header 0 issues
(too old to reply)
Gert Doering
2007-04-25 06:46:05 UTC
Permalink
Hi,

I'm not sure whether "the NetBSD network folks" are aware of the following
issue:

http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf

it's about IPv6 type 0 routing headers, and the fact that all BSDs are
processing them to forward frames, even if ip6.forwarding = 0.

OpenBSD and FreeBSD have commited changes to their stacks yesterday
already (do not forward frames if we're not a router), so there seems to
be some sort of consensus on what's "the right thing to do".

I'm not qualified to work on adding RH0 filtering to pf(4), but if
nobody better qualified can find time, I could try to look at the FreeBSD
patches and see whether they can easily fit into NetBSD.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Mihai Chelaru
2007-04-25 07:03:59 UTC
Permalink
Post by Gert Doering
I'm not sure whether "the NetBSD network folks" are aware of the following
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
It's already fixed in -current (thx Christos !) and a I see pull-up ticket for
netbsd-4 on releng.
--
Mihai

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Bernd Ernesti
2007-04-25 07:06:49 UTC
Permalink
Post by Gert Doering
Hi,
I'm not sure whether "the NetBSD network folks" are aware of the following
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
it's about IPv6 type 0 routing headers, and the fact that all BSDs are
processing them to forward frames, even if ip6.forwarding = 0.
OpenBSD and FreeBSD have commited changes to their stacks yesterday
already (do not forward frames if we're not a router), so there seems to
be some sort of consensus on what's "the right thing to do".
I guess you are talking about the following commit:

: Date: Sun, 22 Apr 2007 19:47:42 +0000 (UTC)
: From: Christos Zoulas <***@NetBSD.org>
: Subject: CVS commit: src
:
: Module Name: src
: Committed By: christos
: Date: Sun Apr 22 19:47:41 UTC 2007
:
: Modified Files:
: src/share/man/man7: sysctl.7
: src/sys/netinet6: ip6_input.c ip6_var.h route6.c
:
: Log Message:
: Disable processing of routing header type 0 packets since they can be used
: of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
:
: Information from:
: http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
:
: To generate a diff of this commit:
: cvs rdiff -r1.8 -r1.9 src/share/man/man7/sysctl.7
: cvs rdiff -r1.101 -r1.102 src/sys/netinet6/ip6_input.c
: cvs rdiff -r1.40 -r1.41 src/sys/netinet6/ip6_var.h
: cvs rdiff -r1.17 -r1.18 src/sys/netinet6/route6.c

Bernd


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Gert Doering
2007-04-25 07:36:17 UTC
Permalink
Post by Bernd Ernesti
Post by Gert Doering
I'm not sure whether "the NetBSD network folks" are aware of the following
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
[..]
Post by Bernd Ernesti
: Date: Sun, 22 Apr 2007 19:47:42 +0000 (UTC)
: Subject: CVS commit: src
[..]
Post by Bernd Ernesti
: Disable processing of routing header type 0 packets since they can be used
: of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
Indeed, that would be the necessary change.

I am not following the CVS commit messages - I checked tech-net, didn't
find anything here, nothing in any of the announcement lists either, so
I decided to err on the safe side, and bring it up here.

What about a pullup to netbsd-3 and netbsd-2?

gert
--
***@greenie.muc.de fax: +49-89-35655025 http://alpha.greenie.net/mgetty/

One difference between a man and a machine
is that a machine is quiet when well oiled.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Adrian Portelli
2007-04-25 07:59:56 UTC
Permalink
Gert Doering wrote:
...
Post by Gert Doering
Indeed, that would be the necessary change.
I am not following the CVS commit messages - I checked tech-net, didn't
find anything here, nothing in any of the announcement lists either, so
I decided to err on the safe side, and bring it up here.
What about a pullup to netbsd-3 and netbsd-2?
gert
Hi,

A pullup for netbsd-3 is in the queue as well (1766). I'll start
looking into netbsd-2 hopefully over the weekend. We'll then be
releasing an advisory for the issue documenting the change in behaviour
WRT RH0.

regards,

adrian.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Gert Doering
2007-04-25 08:29:59 UTC
Permalink
Hi,
Post by Adrian Portelli
...
Post by Gert Doering
What about a pullup to netbsd-3 and netbsd-2?
A pullup for netbsd-3 is in the queue as well (1766). I'll start
looking into netbsd-2 hopefully over the weekend. We'll then be
releasing an advisory for the issue documenting the change in behaviour
WRT RH0.
Cool. Thanks very much.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...