#279 Add the destination for IPv6 Neighbor Discovery

open-remind
Vadim Kurland
None
1
2010-10-30
2010-10-25
Wouter Godefroy
No

Set the correct multicast address as destination for the autogenerated "IPv6 Neighbor Discovery" rules

Discussion

  • Vadim Kurland
    Vadim Kurland
    2010-10-30

    first of all, RFC2461 defines the following valid destination addresses:

    router solicitation: all-routers multicast

    router advertisement: all-nodes multicast or an address of the node that sent router solicitation message

    neighbor solicitation: Either the solicited-node multicast address corresponding to the target address, or the target address.

    neighbor advertisement: For solicited advertisements, the Source Address of an invoking Neighbor Solicitation or, if the solicitation's Source Address is the unspecified address, the all-nodes multicast address. For unsolicited advertisements typically the all-nodes multicast address.

    Now, in iptables valid ND packets will end up in the INPUT chain. This is true for both solicitations and advertisements sent to the multicast and to the actual address of the node. However it is not sufficient to match just multicast, I also need to match correct address of the machine to permit direct replies. In fact, I need to match all ipv6 addresses machine might have on all interfaces. This means amount of rules increases significantly. At the same time I am not sure what threat this would help prevent.

    Anyone can send false advertisement on the LAN using correct destination multicast address, but checking destination on the receiving end won't help any.

    If someone manages to send a reply message to the machine in order to "fool" it, then it also can be sent to the right destination address and ip6tables rules wont prevent that.

    We could filter outgoing messages to make it difficult for someone who has access to the machine where these ip6tables rules are running to send forged ND replies. This has two problems: they would need root access level to send these forged packets in the first place, but that means they can mess with ip6tables rules. Also, the rules can match correct multicast address in destination but they can't match all possible unicast addresses in replies.

    Please let me know if you meant something else or I am missing something.

     
  • Vadim Kurland
    Vadim Kurland
    2010-10-30

    • assigned_to: nobody --> vkurland
     
  • Vadim Kurland
    Vadim Kurland
    2010-10-30

    • priority: 5 --> 1
    • status: open --> open-remind