heads up: IPv6 routing header 0 issues

Hi,

I'm not sure whether "the NetBSD network folks" are aware of the following
issue:

http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf

it's about IPv6 type 0 routing headers, and the fact that all BSDs are
processing them to forward frames, even if ip6.forwarding = 0.

OpenBSD and FreeBSD have commited changes to their stacks yesterday
already (do not forward frames if we're not a router), so there seems to
be some sort of consensus on what's "the right thing to do".

I'm not qualified to work on adding RH0 filtering to pf(4), but if
nobody better qualified can find time, I could try to look at the FreeBSD
patches and see whether they can easily fit into NetBSD.

gert

--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@...
fax: +49-89-35655025                        gert@...

Gert Doering wrote:

> I'm not sure whether "the NetBSD network folks" are aware of the following
> issue:
>
> http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf

It's already fixed in -current (thx Christos !) and a I see pull-up ticket for
netbsd-4 on releng.

--
Mihai

On Wed, Apr 25, 2007 at 08:46:05AM +0200, Gert Doering wrote:
I guess you are talking about the following commit:

: Date: Sun, 22 Apr 2007 19:47:42 +0000 (UTC)
: From: Christos Zoulas <christos@...>
: Subject: CVS commit: src
:
: Module Name:    src
: Committed By:   christos
: Date:           Sun Apr 22 19:47:41 UTC 2007
:
: Modified Files:
:         src/share/man/man7: sysctl.7
:         src/sys/netinet6: ip6_input.c ip6_var.h route6.c
:
: Log Message:
: Disable processing of routing header type 0 packets since they can be used
: of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).
:
: Information from:
:         http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
:
: To generate a diff of this commit:
: cvs rdiff -r1.8 -r1.9 src/share/man/man7/sysctl.7
: cvs rdiff -r1.101 -r1.102 src/sys/netinet6/ip6_input.c
: cvs rdiff -r1.40 -r1.41 src/sys/netinet6/ip6_var.h
: cvs rdiff -r1.17 -r1.18 src/sys/netinet6/route6.c

Bernd

Bernd Ernesti wrote:

>On Wed, Apr 25, 2007 at 08:46:05AM +0200, Gert Doering wrote:
>> I'm not sure whether "the NetBSD network folks" are aware of the following
>> issue:
>>
>> http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
[..]

>I guess you are talking about the following commit:

>: Date: Sun, 22 Apr 2007 19:47:42 +0000 (UTC)
>: From: Christos Zoulas <christos@...>
>: Subject: CVS commit: src
[..]
>: Log Message:
>: Disable processing of routing header type 0 packets since they can be used
>: of DoS attacks. Provide a sysctl to re-enable them (net.inet6.ip6.rht0).

Indeed, that would be the necessary change.

I am not following the CVS commit messages - I checked tech-net, didn't
find anything here, nothing in any of the announcement lists either, so
I decided to err on the safe side, and bring it up here.

What about a pullup to netbsd-3 and netbsd-2?

gert

--
gert@...   fax: +49-89-35655025   http://alpha.greenie.net/mgetty/

One difference between a man and a machine
is that a machine is quiet when well oiled.

Gert Doering wrote:
...
Hi,

A pullup for netbsd-3 is in the queue as well (1766).  I'll start
looking into netbsd-2 hopefully over the weekend.  We'll then be
releasing an advisory for the issue documenting the change in behaviour
WRT RH0.

regards,

adrian.

Hi,

On Wed, Apr 25, 2007 at 08:59:56AM +0100, Adrian Portelli wrote:
> Gert Doering wrote:
> ...
> > What about a pullup to netbsd-3 and netbsd-2?
>
> A pullup for netbsd-3 is in the queue as well (1766).  I'll start
> looking into netbsd-2 hopefully over the weekend.  We'll then be
> releasing an advisory for the issue documenting the change in behaviour
> WRT RH0.

Cool.  Thanks very much.

gert

--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert@...
fax: +49-89-35655025                        gert@...