FreeBSD keeps net.inet6.icmp6.nodeinfo default at 3 (Respond to all queries) To prevent information leakage that could be abused in other scenarios it should be set to 0 by default. e.g. with ping -c 1 -k acgslA <ll address obtained with ping -Y ff02::1%iface>%iface will show all addresses on all interfaces background: * http://www.cu.ipv6tf.org/pdf/fgont-bsdcan2010-ipv6-security.pdf slide 23 * How this information was used to escape an airgapped network https://medium.com/sensorfu/escaping-from-a-truly-air-gapped-network-via-apple-awdl-6cf6f9ea3499 (Patched) MacOS seems to have this at 0 these days
See Also: https://www.gont.com.ar/talks/bsdcan2010/fgont-bsdcan2010-ipv6-security.pdf
Created attachment 227077 [details] Set net.inet6.icmp6.nodeinfo to 0 by default patch against release 13.0p3 for sys/netinet6/in6_proto.c after building a kernel and booting it sysctl will report '0' instead of '3' $ sysctl net.inet6.icmp6.nodeinfo net.inet6.icmp6.nodeinfo: 0
I think this would be a great idea to get in for 13.2.
RFC 4620 is still experimental then I thinks it is safe to set `net.inet6.icmp6.nodeinfo` default to 0 .
Making it into 13.2-R is out of question because it: 1) changes default in minor release 2) it's too late as the RC1 is behind the corner 14.0 is a good target release for this change. It'd require RELNOTES entry though.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b73183d1a243d486e3889bd71800e94812f5fa17 commit b73183d1a243d486e3889bd71800e94812f5fa17 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-04-24 19:41:45 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-04-26 17:47:59 +0000 ipv6: disable RFC 4620 nodeinfo by default RFC 4620 is an experimental RFC that can be used to request information about a host, including: - the fully-qualified or single-component name - some set of the Responder's IPv6 unicast addresses - some set of the Responder's IPv4 unicast addresses This is not something that should be made available by default. PR: 257709 Submitted by: ruben@verweg.com Reviewed by: melifaro Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D39778 sys/netinet6/in6_proto.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=5c4e8a6310973f22eb76835f1b0d5ba5dd9df2f7 commit 5c4e8a6310973f22eb76835f1b0d5ba5dd9df2f7 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2023-04-24 19:41:45 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-05-01 12:15:08 +0000 ipv6: disable RFC 4620 nodeinfo by default RFC 4620 is an experimental RFC that can be used to request information about a host, including: - the fully-qualified or single-component name - some set of the Responder's IPv6 unicast addresses - some set of the Responder's IPv4 unicast addresses This is not something that should be made available by default. PR: 257709 Submitted by: ruben@verweg.com Reviewed by: melifaro Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D39778 (cherry picked from commit b73183d1a243d486e3889bd71800e94812f5fa17) sys/netinet6/in6_proto.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
Now merged to stable/13, and will be in FreeBSD 13.3 and FreeBSD 14.0. Thanks for the report.