On Sun, Jul 02, 2017 at 06:04:30PM +0000, Florian Obser wrote: > > It'd be nice if somebody could tell us what the RFCs say about this > > case. Florian do you have an idea? Should we fix something or should > > Marc tell his provider to fix his setup? > > this was introduced by claudio@ in rev. 1.53 of nd6_nbr.c: > > If a neighbor solictation isn't from the unspecified address, make sure > that the source address matches one of the interfaces address prefixes. > From NetBSD, tested by todd@ and naddy@ > > > netbsd added this in their rev 1.89 and 1.90: > > If a neighbor solictation isn't from the unspecified address, make sure > that the source address matches one of the interfaces address prefixes. > > and: > Generalize previous fix so that both NS and NA packets are checked. > > However, I don't get why. Other than being extra paranoia defending > against a misbehaving router maybe?. We already check a hop limit of > 255, so the packet had to be generated on-link and not forwarded by a > router. >
This discussion reminded me of a similar thread a few years back: http://marc.info/?l=openbsd-misc&m=136057739111931&w=2 It among other things brings up CVE-2008-2476. Maby some of it is relevant now as well? -- Patrik Lundin
