Bug 257709 - netinet6: Set net.inet6.icmp6.nodeinfo default to 0
Summary: netinet6: Set net.inet6.icmp6.nodeinfo default to 0
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 13.0-RELEASE
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-net (Nobody)
URL:
Keywords: needs-patch, needs-qa, security
Depends on:
Blocks:
 
Reported: 2021-08-09 12:32 UTC by ruben
Modified: 2021-08-10 10:40 UTC (History)
3 users (show)

See Also:
koobs: maintainer-feedback? (secteam)
koobs: mfc-stable13?
koobs: mfc-stable12?
koobs: mfc-stable11?


Attachments
Set net.inet6.icmp6.nodeinfo to 0 by default (536 bytes, patch)
2021-08-10 10:40 UTC, ruben
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description ruben 2021-08-09 12:32:14 UTC
FreeBSD keeps net.inet6.icmp6.nodeinfo default at 3 (Respond to all queries)

To prevent information leakage that could be abused in other scenarios it should be set to 0 by default.

e.g. with ping -c 1 -k acgslA <ll address obtained with ping  -Y ff02::1%iface>%iface will show all addresses on all interfaces

background:

* http://www.cu.ipv6tf.org/pdf/fgont-bsdcan2010-ipv6-security.pdf slide 23
* How this information was used to escape an airgapped network https://medium.com/sensorfu/escaping-from-a-truly-air-gapped-network-via-apple-awdl-6cf6f9ea3499

(Patched) MacOS seems to have this at 0 these days
Comment 2 ruben 2021-08-10 10:40:28 UTC
Created attachment 227077 [details]
Set net.inet6.icmp6.nodeinfo to 0 by default

patch against release 13.0p3 for sys/netinet6/in6_proto.c

after building a kernel and booting it sysctl will report '0' instead of '3'

$ sysctl net.inet6.icmp6.nodeinfo
net.inet6.icmp6.nodeinfo: 0