Re: FreeBSD Security Advisory FreeBSD-SA-07:03.ipv6



On Mon, Apr 30, 2007 at 09:15:42PM +0200, Michael Nottebrock wrote:
On Sunday, 29. April 2007, Eugene Grosbein wrote:
On Sat, Apr 28, 2007 at 05:34:33PM -0400, Peter Thoenen wrote:
Umm maybe its just but I fail to see why this is a security advisory
(initially caught this on the OBSD list). You are following the RFC ..
if you don't like "evil" packets, then drop them at the firewall or
router layer ... don't see the need for an OS fix.

Design flow in the RFC still may be security vulnerability, doesn't it?

The last "fix" for a IPv6 design flaw contributed by OpenBSD (disable
IPv4-mapped IPv6 addresses by default) caused rather unpleasant side-effects
in a number of applications. Will this change have similar effects? I've
gathered by now that in OpenBSD there is little concern for such things.

This functionality required by RFC 2460 appears to be completely
unused by any RFC.

Kris
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: weird scans from port 80
    ... > calling a box a firewall gives them the right to violate the rules. ... > packets arriving on a single host, but rather all packets entering the ... > say they must obey the RFC. ...
    (comp.os.linux.security)
  • Re: Restarting ADSL Connection Problem
    ... >>fragmentation and dropped packets due to fragmentation (or my ... >>through the firewall back to the router. ... accept ICMP unreachable packets from my gateway? ... Will my OBSD server adjust packet payloads as per RFC 1191? ...
    (comp.unix.bsd.openbsd.misc)
  • Re: weird scans from port 80
    ... > by checking the intervals between packets, ... And if you need more context read the RFC. ... I'm not attempting to regulate anybodys firewall policy. ... Firewalls violating the RFC stinks. ...
    (comp.os.linux.security)
  • Re: weird scans from port 80
    ... >> box a firewall gives them the right to violate the rules. ... If it is the "general rule" part you do not understand, ... You don't know anything about the standard, ... And if you need more context read the RFC. ...
    (comp.os.linux.security)
  • Re: DNS on LAN
    ... I have 3 other machines behind the firewall. ... > with my server for development. ... > I have read the DNS chapter in the FreeBSD book but I am just as ... RFC 973, RFC 974, RFC 1033, ...
    (freebsd-questions)