Bug#684072: CVE-2011-2393: ICMPv6 Router Announcement flooding DoS
On Fri, Aug 31, 2012 at 09:06:35PM +0200, Petr Salinger wrote:
> forwarded 684072 http://www.freebsd.org/cgi/query-pr.cgi?pr=158726
> --
>
> The description of the problem is:
>
> When flooding the local network with random router advertisements,
> hosts and routers update the network information, consuming all
> available CPU resources, making the systems unusable and unresponsive.
>
> It happens only iff IPv6 autoconfiguration is enabled.
> But we have only two choices
>
> a) allow autoconfiguration and trust the network to provide correct input
> for autoconfiguration
>
> b) disable autoconfiguration and configure interface manually
>
> Whether autoconfiguration is enabled is controlled by sysctl.
> The pristine FreeBSD have autoconfiguration disabled,
> our kernel have it enabled to match Linux kernel behaviour:
>
> kfreebsd-8 (8.0-9) unstable; urgency=low
>
> [ Aurelien Jarno ]
> * Default to netinet6.ip6.v6only=0 and netinet6.ip6.accept_rtadv=1
> to match the Linux kernel defaults.
>
> -- Aurelien Jarno <aurel32@debian.org> Wed, 23 Jun 2010 21:31:54 +0200
>
>
> What should we do ?
What about keeping autoconfig enabled and documenting the potential danger in
README.Debian (or somewhere similar), so that anyone concerned can disable
it locally?
Cheers,
Moritz
Reply to: