Re: FreeBSD Security Advisory FreeBSD-SA-07:03.ipv6



On Sunday, 29. April 2007, Eugene Grosbein wrote:
On Sat, Apr 28, 2007 at 05:34:33PM -0400, Peter Thoenen wrote:
Umm maybe its just but I fail to see why this is a security advisory
(initially caught this on the OBSD list). You are following the RFC ..
if you don't like "evil" packets, then drop them at the firewall or
router layer ... don't see the need for an OS fix.

Design flow in the RFC still may be security vulnerability, doesn't it?

The last "fix" for a IPv6 design flaw contributed by OpenBSD (disable
IPv4-mapped IPv6 addresses by default) caused rather unpleasant side-effects
in a number of applications. Will this change have similar effects? I've
gathered by now that in OpenBSD there is little concern for such things.

--
,_, | Michael Nottebrock | lofi@xxxxxxxxxxx
(/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org
\u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org

Attachment: pgpGOWozZjQoF.pgp
Description: PGP signature



Relevant Pages

  • Re: RFC 919 compliance (broadcasts to 255.255.255.255)
    ... I've noticed that FreeBSD does not by default comply to RFC 919, ... packets with a destination address of 255.255.255.255 properly. ... address should be broadcast to the whole IP subnet of the broadcasting ...
    (freebsd-hackers)
  • Re: Are tcp/udp/ip packets the same format for windows ce & palm OS?
    ... The protocols are defined in an RFC, and the protocol defines exactly what ... the packets will consist of--therefore the tcpip packets would be almost ... This alias is for newsgroup purposes only. ...
    (microsoft.public.pocketpc.developer.networking)
  • Re: [2.4 PATCH] bugfix: ARP respond on all devices
    ... magic make an entry in the route table to go back out of the NIC with the ... hidden patch is not the desired way to solve the problem, ... You have stated that this is required by some RFC. ... should *be* no incoming packets if arp-filter is on. ...
    (Linux-Kernel)
  • Re: weird scans from port 80
    ... > calling a box a firewall gives them the right to violate the rules. ... > packets arriving on a single host, but rather all packets entering the ... > say they must obey the RFC. ...
    (comp.os.linux.security)
  • Re: weird scans from port 80
    ... > by checking the intervals between packets, ... And if you need more context read the RFC. ... I'm not attempting to regulate anybodys firewall policy. ... Firewalls violating the RFC stinks. ...
    (comp.os.linux.security)