Bug#684072: CVE-2011-2393: ICMPv6 Router Announcement flooding DoS
On Fri, Aug 31, 2012 at 09:06:35PM +0200, Petr Salinger wrote:
> forwarded 684072 http://www.freebsd.org/cgi/query-pr.cgi?pr=158726
> The description of the problem is:
> When flooding the local network with random router advertisements,
> hosts and routers update the network information, consuming all
> available CPU resources, making the systems unusable and unresponsive.
> It happens only iff IPv6 autoconfiguration is enabled.
> But we have only two choices
> a) allow autoconfiguration and trust the network to provide correct input
> for autoconfiguration
> b) disable autoconfiguration and configure interface manually
> Whether autoconfiguration is enabled is controlled by sysctl.
> The pristine FreeBSD have autoconfiguration disabled,
> our kernel have it enabled to match Linux kernel behaviour:
> kfreebsd-8 (8.0-9) unstable; urgency=low
> [ Aurelien Jarno ]
> * Default to netinet6.ip6.v6only=0 and netinet6.ip6.accept_rtadv=1
> to match the Linux kernel defaults.
> -- Aurelien Jarno <email@example.com> Wed, 23 Jun 2010 21:31:54 +0200
> What should we do ?
What about keeping autoconfig enabled and documenting the potential danger in
README.Debian (or somewhere similar), so that anyone concerned can disable