Some further explanation of one of these issues: > CVE-2012-5363 - flood of ICMPv6 Neighbor Solicitation messages > > These packets announce an IPv6 host's presence on the local network. > The source addresses of these packets are cached in a table > of 'neighbour' hosts. The table can be filled if a large number of > source addresses are spoofed. This incurs heavy CPU load and can break > IPv6 networking on all interfaces.
It is important to note this is different from the others, and is not related to having accept_rtadv enabled, but affects any FreeBSD IPv6 host. A very elegant and complete fix for this is applied in OpenBSD and more recently NetBSD, and this specific change is something we might want to try ourselves and/or see merged upstream: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/nd6.c.diff?r1=1.77;r2=1.78 This works by: * triggering garbage collection of the neighbour cache when it fills (this avoids a total DoS) * using an LRU list, to try to preserve entries for hosts that are being actively communicated with, in preference to spoofed entries which eventually fall to the bottom of the list and are purged (this mitigates the impact of cache purges on genuine IPv6 communication, and makes it viable for the cache to be made smaller) * limiting the size of the neighbour cache (ip6_neighborgcthresh) to 2048 entries by default (operations on a smaller cache incur less CPU load) : http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_proto.c.diff?r1=1.95&r2=1.95.8.1&f=h There were other changes in this commit, to try to mitigate CVE-2011-2393 and CVE-2012-5365, but less than ideal. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bsd-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51f79966.5050...@pyro.eu.org
