[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
SRUing the newer version failed since it changed behaviour in some configuration which created issue for existing users. There isn't anyone currently working on resolving those issues so it's more realistic to untarget from Bionic. If the problem really needs to be resolved in that serie best to go through the rls-bb-incoming nomination process again. ** Changed in: network-manager (Ubuntu Cosmic) Status: New => Won't Fix ** Changed in: network-manager (Ubuntu Cosmic) Assignee: Till Kamppeter (till-kamppeter) => (unassigned) ** Changed in: network-manager (Ubuntu Bionic) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: Fix Released Status in network-manager source package in Bionic: Won't Fix Status in network-manager source package in Cosmic: Won't Fix Status in network-manager source package in Disco: Fix Released Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
** Changed in: network-manager (Ubuntu Cosmic) Assignee: (unassigned) => Till Kamppeter (till-kamppeter) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: Fix Released Status in network-manager source package in Bionic: Fix Committed Status in network-manager source package in Cosmic: New Status in network-manager source package in Disco: Fix Released Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
The bionic fix is included in the upstream 1.10.14 release: https://launchpad.net/ubuntu/+source/network-manager/1.10.14-0ubuntu1 1.12.6 has the fix for cosmic. ** Changed in: network-manager (Ubuntu Cosmic) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: Fix Released Status in network-manager source package in Bionic: Fix Committed Status in network-manager source package in Cosmic: New Status in network-manager source package in Disco: Fix Released Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
This is fixed in Disco; I opened Bionic and Cosmic tasks since the bug needs to be open in some way for it to be tracked. ** Changed in: network-manager (Ubuntu Disco) Status: Fix Committed => Fix Released ** Also affects: network-manager (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: network-manager (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: network-manager (Ubuntu Bionic) Status: New => Fix Committed ** Changed in: network-manager (Ubuntu Bionic) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: Fix Released Status in network-manager source package in Bionic: Fix Committed Status in network-manager source package in Cosmic: New Status in network-manager source package in Disco: Fix Released Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
The issue was fixed in 1.12.6 which has been uploaded to disco, https://launchpad.net/ubuntu/+source/network-manager/1.12.6-0ubuntu1 ** Changed in: network-manager (Ubuntu Disco) Status: New => Fix Committed ** Changed in: network-manager (Ubuntu Disco) Assignee: Andrea Azzarone (azzar1) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: Fix Committed Status in network-manager source package in Disco: Fix Committed Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
** Changed in: network-manager (Ubuntu Disco) Importance: Undecided => High ** Changed in: network-manager (Ubuntu Disco) Assignee: (unassigned) => Andrea Azzarone (azzar1) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: Confirmed Status in network-manager source package in Disco: New Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
It should be yes, but I'd like to look at the changes needed before going any further. Looking at the diff, it doesnt look too bad for the current version on n-m. With some luck it will be backported by upstream, if not we'll take a look. Release of Cosmic is next week, so I dont think this will get any traction until that's out the door, but then we will get on the case. ** Changed in: network-manager (Ubuntu) Status: New => Confirmed ** Changed in: network-manager (Ubuntu) Importance: Undecided => Medium ** Also affects: network-manager (Ubuntu Dd-series) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: Confirmed Status in network-manager source package in DD-Series: New Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
Thank you Will! We are running Ubuntu 16.04 with network-manager version 1.2.6, that will be fixed too? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: New Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
Investigation found that DAD timeout for IPv6 seems to be not implemented for network manager [1]. And only support up to IPv4. It looks like a limitation but couldn't find any writing confirmation for this limitation. [1] https://developer.gnome.org/NetworkManager/stable/settings-ipv6.html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: New Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
Upstream fix: https://github.com/NetworkManager/NetworkManager/pull/228 This will be ported to all supported releases soon, so we should be able to pick that up easily enough. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: New Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
Upstream issue reported: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/57 Thanks for looking into it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: New Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
Spoke to upstream. They will look in to this and get it fixed. I've asked David to log it upstream and we can link to that here. We should look at backport the fixes and SRUing to Bionic. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: New Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
Hi Bryan, Here is the information for those 2 cases: v6LC_3_2_4_C - Prefix Lifetime less than the Remaining Lifetime and the Remaining Lifetime is less than 2 hours http://fnet.sourceforge.net/ip6_tests/Self_Test_5-0-0/addr.p2/v6LC_3_2_4_C.html RA_gt2lt2 - Prefix Lifetime less than 2 hours and the Remaining Lifetime is greater than 2 hours http://fnet.sourceforge.net/ip6_tests/Self_Test_5-0-0/addr.p2/RA_gt2lt2.html I think I chose private by mistake, and I have changed it to public. I haven't reported it to other Linux distro or network-manager upstream. If doing so can get more visibility, I will do it. Thanks and Regards, -David -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: New Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1796622] Re: NetworkManager IPv6 DAD lifetime behavior introduce security risk
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1796622 Title: NetworkManager IPv6 DAD lifetime behavior introduce security risk Status in network-manager package in Ubuntu: New Bug description: Description: When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not. According to https://tools.ietf.org/search/rfc4862, page 19: "The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect." Other notes: - 2 test cases pass without NetworkManager. - Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1796622/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
