Bug#684072: CVE-2011-2393: ICMPv6 Router Announcement flooding DoS
On 07/09/12 17:29, Moritz Muehlenhoff wrote:
> What about keeping autoconfig enabled and documenting the potential danger in
> README.Debian (or somewhere similar), so that anyone concerned can disable
> it locally?
It looks like we have a bigger problem than this:
I was going to simply write instructions on disabling IPv6
autoconfiguration, or how to completely disable IPv6 on an interface.
But when testing it on wheezy, it seems the necessary ifconfig flags are
not working on kfreebsd-amd64 or kfreebsd-i386, at least on 9.0 kernels:
# ifconfig xn0 ifdisabled
ifconfig: ioctl(SIOCGIFINFO_IN6): Invalid argument
# ifconfig xn0 -accept_rtadv
ifconfig: ioctl(SIOCGIFINFO_IN6): Invalid argument
This bug would have to be fixed in stable first. It looks like kernel
ABI breakage, but at first glance the ioctl looks correct and data
structures the same.
There is a sysctl but by design it only sets a default for interfaces
not 'attached' yet, which is of no help here. And changing the default
from the bootloader might not work either - a loader tunable for this
wasn't implemented until r253239 (kFreeBSD 9.2).
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Reply to: