Re: [PATCH] Implement the upcoming RFC4941bis (IPv6 SLAAC temporary addresses/privacy extensions)

2020-04-06 Thread Fernando Gont
Folks, Any thoughts? On 2/4/20 22:55, Fernando Gont wrote: Folks/Hiroki, I've implemented the upcoming revision of RFC4941 (https://tools.ietf.org/html/draft-ietf-6man-rfc4941bis-08) for FreeBSD. The main changes are this: * Reduce the Valid Lifetime from 1 week to 2 days.

Re: Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain)

2020-04-06 Thread Fernando Gont
utes. But yes: use normal IPv6 send mechanisms. And also probably motivate that nodes use the address of the sending interface (strong-end system model, per RFC1122). Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945

Re: Revisiting FreeBSD-SA-08:10.nd6 (or: avoiding IPv6 pain)

2020-04-05 Thread Fernando Gont
cribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ freebsd-net@freebsd.org mailing list

[PATCH] Implement the upcoming RFC4941bis (IPv6 SLAAC temporary addresses/privacy extensions)

2020-04-02 Thread Fernando Gont
ID. @@ -2289,7 +2330,6 @@ in6_tmpifadd(const struct in6_ifaddr *ia0, int forcegen, int delay) * there may be a time lag between generation of the ID and generation * of the address. So, we'll do one more sanity check. */

[PATCH] React to small IPv6 PIO Valid Lifetimes

2020-04-02 Thread Fernando Gont
lt6_tmp.ia6t_vltime = new->ndpr_vltime; lt6_tmp.ia6t_pltime = new->ndpr_pltime; in6_init_address_ltimes(pr, <6_tmp); cut here Thanks! Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprin

Question about rtadvd

2020-03-31 Thread Fernando Gont
d be specified for interface em0." since the config for em0 does specify rtltime -- unless I'm missing something. Thanks! Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___

PATCH: More appropriate vltime for IPv6 temp addrs (rfc4941bis)

2020-03-27 Thread Fernando Gont
-vltime.txt Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To

IPv6 SLAAC and renumbering events

2020-02-20 Thread Fernando Gont
html/draft-gont-v6ops-slaac-renum-02 Question: Would you guys be interested in an implementation of the proposed mitigations? P.S.: If you have any thoughts or comments on the proposed mitigations, that would be appreciated, too. Thanks! Cheers, -- Fernando Gont e-mail: ferna...@gont.co

IPv6 temporary addresses (Fwd: New Version Notification for draft-ietf-6man-rfc4941bis-03.txt)

2019-09-05 Thread Fernando Gont
...@ietf.org To: Fernando Gont , Suresh Krishnan , Richard Draves , Thomas Narten A new version of I-D, draft-ietf-6man-rfc4941bis-03.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Name: draft-ietf-6man-rfc4941bis Revision: 03 Title: Pri

Re: Recognize change of IPv6 prefix

2019-03-05 Thread Fernando Gont
tf.org/html/draft-gont-6man-slaac-renum ? Thanks! Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ freebsd-net@freebsd.org mailing list https://lists.fre

PF support for IPv6 Extension Headers

2015-06-10 Thread Fernando Gont
that contain a Destination Options Header") * Filtering packets base on the EH size * Filtering packets based on the number of EHs they contain (e.g., drop the packet if it employs more than 5 EHs) etc. Thoughts? Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...

Re: Routing IPv6 packets towards oneself with routing sockets?

2014-08-08 Thread Fernando Gont
ned with sizeof(long) and 2) > IFACE_LENGTH should be IFNAMSIZ. Thanks so much! -- I'll incorporate these into the ipv6toolkit (that's the reason for which I was playing with this in the first place). Thanks again! Best regards, -- Fernando Gont e-mail: ferna...@g

Re: Routing IPv6 packets towards oneself with routing sockets?

2014-08-07 Thread Fernando Gont
Hi, Hiroki, On 08/07/2014 06:24 AM, Hiroki Sato wrote: > > Fernando Gont wrote > in <53e2b586.3080...@gont.com.ar>: > > fe> However, whenever I lookup an entry for fc00:1::1 with routing sockets, > fe> the only entry I obtain is fc00:1::/64 (a network route) r

Routing IPv6 packets towards oneself with routing sockets?

2014-08-06 Thread Fernando Gont
ia routing sockets. And that I shouldn't be implementing this "is the dst address my own address?" hack. Any thoughts? P.S.: I can provide a code snippet if that'd be of any help. Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fi

Re: IPv6 nodeinfo default behaviour

2014-07-27 Thread Fernando Gont
link-local by default). But I understand YMMV. While node information message can be interesting at times, since they are only supported in BSDs and can only be used when on-link, it's not a debugging mechanism you can rely on. As a result of that, my 2cents would be "disable them by default

Fwd: RFC 7217 on A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)

2014-05-03 Thread Fernando Gont
ecial distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC -- Fernando

Fwd: RFC 6980 on Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery

2013-08-14 Thread Fernando Gont
Management Solutions, LLC IETF IPv6 working group mailing list i...@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 ---- -- Fernando Gont e-m

Re: TCP Loopback Connections with the Same Src/Dest Port

2013-07-18 Thread Fernando Gont
nnection entering FIN_WAIT_1 at the same time and > sending FIN/ACKs repeatedly (though our connections are a bizarre case > of this where both ends of the connection are actually the same > connection). Last time I checked, FreeBSD was handlind this case properly... so this is probably th

Re: Show multicast groups joined?

2013-06-15 Thread Fernando Gont
On 06/16/2013 01:51 AM, Bruce A. Mah wrote: > If memory serves me right, Fernando Gont wrote: > >> What would be the appropriate command to show the IPv6 multicast >> groups joined by all/each interface? > > Try ifmcstat(8). That's exactly what I wanted. Thanks

Show multicast groups joined?

2013-06-15 Thread Fernando Gont
Folks, What would be the appropriate command to show the IPv6 multicast groups joined by all/each interface? Thanks in advance! -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

IPv6 Toolkit v1.3.1 released!

2013-02-19 Thread Fernando Gont
@SI6Networks. Thanks! Best regards, - -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJRI38CAAoJEJbuqe/Qdv/xvB4IANcso

pcap DLT_NULL encapsulation

2013-02-18 Thread Fernando Gont
ed, it seems those bytes are being rewritten). Is this a known issue with gogoc? Am I missing something else? Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 9

Bringing some sanity to IPv6 traffic (IETF Internet-Drafts)

2012-12-01 Thread Fernando Gont
Folks, FYI: * <http://tools.ietf.org/id/draft-ietf-6man-oversized-header-chain-02.txt> * <http://tools.ietf.org/id/draft-ietf-6man-nd-extension-headers-01.txt> P.S.: These two I-Ds have already been adopted by the 6man wg, and are close to publication as RFCs. Cheers, -- Fernando

Re: Problems with ephemeral port selection

2012-12-01 Thread Fernando Gont
Please take a look at the discussion on how to "steal" incomming connections in Section 3.1 of RFC 6056. Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 __

Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

2012-11-27 Thread Fernando Gont
r for road warriors sends a IPv6 prefix to be used on > OpenVPN as well as a IPv4 address. It works well. The questions is: what happens when under attack? (please see above) Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7

VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

2012-11-27 Thread Fernando Gont
e they have some patches for some of these issues... Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ freebsd-net@freebsd.org mailing list http://l

Re: Default ephemeral port range

2012-11-13 Thread Fernando Gont
ommend that range. In RFC 6056 we recommend implementations to use the largest possible port range -- ideally 1024-65536. > Is there any particular reason > why net.inet.ip.portrange.first defaults to 1? Please see above. Cheers, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg

IPv6 stable privacy addresses (Fwd: I-D Action: draft-ietf-6man-stable-privacy-addresses-01.txt)

2012-10-09 Thread Fernando Gont
anced Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC) Author(s) : Fernando Gont Filename: draft-ietf-6man-stable-privacy-addresses-01.txt Pages : 17 Date: 2012-10-07 Abstract: This document specifies a method for gener

Re: IPv6 toolkit v1.2

2012-07-15 Thread Fernando Gont
since it contains a number of fixes. Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ freebsd-net@freebsd.org mailing list http://lists.fr

IPv6 toolkit v1.2

2012-07-15 Thread Fernando Gont
be employed to play with IPv6 address resolution, SLAAC, etc. Thanks, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ freebsd-net@freebsd.org mailing list

Re: ICMP attacks against TCP and PMTUD

2012-01-14 Thread Fernando Gont
enerates a lot of traffic. > The retransmits are roughly ~300-500 byte packets. Can you post a packet trace (tcpdump's packet decode output), or send me the trace or pcap files to me off-list, so that I can take a look and comment? Thanks! Best regards, -- Fernando Gont e-mail: ferna...@

Re: IPv6 Redirects & local destinations

2011-10-20 Thread Fernando Gont
behavior >> intentional? (If so, what's the rationale?) > > It's kern/152791, isn't it? Yep, it seems it is. -- The fix would be that when an ICMPv6 Redirect is received with RD Target == RD Destination, not only is an entry created in the Neighbor Cache, but a host-route

IPv6 Redirects & local destinations

2011-10-20 Thread Fernando Gont
Redirect Destination. Should I report this as a bug, or is this (non-rfc-compliant) behavior intentional? (If so, what's the rationale?) Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076

Re: Proposed patch for Port Randomization modifications according to RFC6056

2011-02-27 Thread Fernando Gont
is there any reason not to make it 4? Not at all. Algorithm 4 (double-hash) is the best option, IMO. Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _

Re: Proposed patch for Port Randomization modifications according to RFC6056

2011-02-27 Thread Fernando Gont
ed than I to comment on the style of the > patch, but it applies cleanly, and seems to run fine on both v4 and v6. Has this been commited to the tree, already? -- If so, what's the default algorithm? Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP

Re: Proposed patch for Port Randomization modifications according to RFC6056

2011-01-26 Thread Fernando Gont
stablished at a high rate). As a datapoint, Linux ships with Algorithm #4 enabled by default. Thanks! Best regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___

Re: IPv6 and Anycast

2010-06-28 Thread Fernando Gont
Hi, Paul, > I was wondering if someon knew if FreeBSD supports the creation of > anycast addresses and groups. Anycast is a routing artifact. There's nothing (syntactically) special about anycast when compared to unicast addresses. Thanks! Kind regards, -- Fernando Gont e-

Extended SYN cookies

2010-06-22 Thread Fernando Gont
iginal SYN was accepted, the connection is established. The second > * SYN is inflight, and if it arrives with an ISN that falls within the > * receive window, the connection is killed. What do you mean by "recreated", specifically? Thanks! Kind regards, -- Fernando Gont e-mail:

Re: Request for feedback on TCP security (IETF effort)

2010-03-08 Thread Fernando Gont
ised to see that thread posted here ... > > -- Qing > > >> -Original Message- >> From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd- >> n...@freebsd.org] On Behalf Of Fernando Gont >> Sent: Thursday, March 04, 2010 7:08 PM >> To: freebsd-net@freebsd.o

Request for feedback on TCP security (IETF effort)

2010-03-04 Thread Fernando Gont
, if you prefer. Thanks! Kind regards, - -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) iQEcBAEBCAAGBQJLkHWNAAoJEJbuqe/Qdv/x8RkH/2BMUvD

Re: Processing IPv6 Router Advertisements

2010-02-04 Thread Fernando Gont
uot;be liberal in > what you accept", but, as you probably know, it shouldn't cause any > interoperability trouble in practice. Agreed. Thanks again! Kind regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96E

Re: Processing IPv6 Router Advertisements

2010-01-19 Thread Fernando Gont
local, > or is this a manually configured link-local situation ? I'm just playing with a RouterAdvertisement forging tool I just built. I've checked the on-the-wire packets, and they seem to be correct. :-( Thanks, -- Fernando Gont e-mail: fe

Processing IPv6 Router Advertisements

2010-01-19 Thread Fernando Gont
ts of the IPv6 Source address must be fe80:, or else the message is dropped (at least, no changes are made to the destination cache or the neighbor cache). Can anybody confirm this one, or correct me if I am wrong? Thanks! Kind regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@ac

Security Assessment of the Transmission Control Protocol (TCP)

2009-02-13 Thread Fernando Gont
eb-09-security-assessment-TCP.aspx Additionally, I have posted a copy of the document on my personal web site: http://www.gont.com.ar Any comments will be more than welcome. Kind regards, - -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9

Re: Ephemeral port range (patch)

2008-03-03 Thread Fernando Gont
sh time would be nice to remove if you're investigating the related issues. Ok. One thing you may or may not have noticed is that FreeBSD keeps TIME_WAIT sockets in a seperate zone which has a limit size, so you will not have to worry too much about them clogging up all ephemeral

Re: Ephemeral ports patch (fixed)

2008-03-03 Thread Fernando Gont
fixed this in the patch itself, but then undid that change when I changed the first ephemeral port from 1024 to 1. This one should be fine. :-) Kind regards, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Re: Ephemeral port range (patch)

2008-03-03 Thread Fernando Gont
utgoing connections to about (ephemeral_ports/TIME_WAIT). Any objections against changing this? At least for outgoing connections (i.e., non-listening sockets), this shouldn't be the case. I'd be interested in working on this issue... Kind regards, -- Fernand

Re: Ephemeral ports patch (fixed)

2008-03-03 Thread Fernando Gont
ng that I can't apply it. I think all the whitespace got stomped, either by your mail program or my mail program. Can you please resent this as an attachment? Sure. Please let me know if this one is okay. Kind regards, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fi

Re: Ephemeral port range (patch)

2008-03-02 Thread Fernando Gont
eral ports. So unless you're tweaking the configuration of each of the systems you have behind the NAT, I'm afraid you won't be able to implement such a policy. FWIW, Windows used the range 1024-4999 or something... at least W95 and XP. Vista probably still does the same thing. Kin

Ephemeral ports patch (fixed)

2008-03-02 Thread Fernando Gont
if (*lastport < first || *lastport > last) + *lastport = first; + lport = htons(*lastport); + } while (in_pcblookup_local(pcbinfo, laddr, lport, + wild)); } if (prison_ip(cred, 0, &laddr.s_addr)) retur

Re: Ephemeral port range (patch)

2008-03-01 Thread Fernando Gont
ection algorithm described in the draft (this is, IMHO, the right approach to ephemeral port randomization) Kind regards, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _

Ephemeral port range (patch)

2008-03-01 Thread Fernando Gont
addr.s_addr)) return (EINVAL); Kind regards, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 ___ freebsd-net@freebsd.org mailing list http://lists.f

Ephemeral port selection (patch)

2008-02-25 Thread Fernando Gont
*lastport = first; + lport = htons(*lastport); + } while (in_pcblookup_local(pcbinfo, laddr, lport, + wild)); } if (prison_ip(cred, 0, &laddr.s_addr)) return (EINVAL); -- Fernando Gont e

Ephemeral port selection

2007-02-12 Thread Fernando Gont
roposed changes (extending the port range and possibly implementing the RFC1948-like scheme for ephemeral port selection). Any comments will be more than welcome. Thanks, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE

Re: UDP lite for FreeBSD

2006-12-21 Thread Fernando Gont
CCR) in which they show errors that, IIRC, were not caught by the CRC, but *were* caught by the checksum. Kindest regards, -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 __

Re: tcp_notify() and the connection establishment timer

2004-10-21 Thread Fernando Gont
ction-establishment timer should be set to a larger value, or else fewer retransmissions and fewer ICMP errors should be required to abort a connection. If you have a copy of Stevens' TCPv2 at hand, there's a diagram on page 828 that shows this. The 75-second timer w

tcp_notify() and the connection establishment timer

2004-10-21 Thread Fernando Gont
educed to such a value that, in that case, this code would kick in before the 75-seconds tconnection-establishment timer? Thanks! -- Fernando Gont e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: SYN flood and IP spoofing

2001-10-21 Thread Fernando Gont
used to stop emitting >packets by filling their SYN queue; I'm not sure when that stopped applying. Well, that's the point of my question: is there any reason for the stacks to behave like that? Kind regards, Fernando Gont e-mail: [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message

SYN flood and IP spoofing

2001-10-20 Thread Fernando Gont
for a new connection. But, why doesn't it reply a SYN/ACK with a RST, if it DOES KNOW that that segment doesn't correspond to any current connection? Kind regards, Fernando Gont e-mail: [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message