[xstreamos-discuss] Fwd: [discuss] IPv6 bogus Router Advertisements and Illumos 5729

Tue Mar 31 09:21:00 CEST 2015

For anyone interested, here are some notes about IPV6 on illumos by Dan McDonald.
Gabriele
----------------------------------------------------------------------------------
Da: Dan McDonald
A: Dan McDonald
Data: 27 marzo 2015 19.51.26 CET
Oggetto: [discuss] IPv6 bogus Router Advertisements and Illumos 5729
Hello folks!
This is being sent to the illumos developers' list, the illumos discussion list, and the OmniOS discussion list.  I'd appreciate if folks from other distros please forward this to your appropriate distro mailing list(s).  This mail assumes a mild working knowledge of IPv6 and of the illumos kernel's internal structures.  If you have questions, feel free to contact me.  The bottom line is we have nothing to worry about!  The rest of this note explains why.
Recently, I pushed this seemingly innocuous fix into illumos-gate:
commit a36f6bde69ea4d4ea2b0a475ce962b9c1c4ef323
Author: Dan McDonald
Date:   Thu Mar 19 19:04:20 2015 -0400
5729 in.ndpd should log broken RAs
Reviewed by: Robert Mustacchi
Approved by: Gordon Ross
I did so in response to a no-longer-embargoed request from CERT.  The problem behavior manifests with a malicious on-link IPv6 attacker who can theoretically cause nodes to lower their default IPv6 hop limit (like IPv4's TTL) to a small enough amount where IPv6 packets get dropped before they reach their destinations.
This attack does not affect illumos, nor has it ever since its 2010 inception.  This is due to our unusual STORAGE of IPv6 Router Advertisement hop limits, vs. where we actually set these defaults.
Our in.ndpd code sends a SIOCLIFLNKINFO ioctl to the kernel in response to a changed hop limit via a Router Advertisement.  Fortunately, our kernel stores this information in an ill_t's ill_max_hops.  To see these, per-interface, utter this as root on your system's global zone:
echo "::walk ill | ::print ill_t ill_name ill_isv6 ill_max_hops" | mdb -k
The default value is "0", meaning use a system default.  The good news is, the value is NEVER USED BY THE REST OF THE IPv6 STACK.  IPv6 instead always sets the hopcount for locally-originated, non-reflective, packets to whatever these ndd(1M) variables are set, per netstack:
ndd -get /dev/{tcp,udp,icmp} {tcp,udp,icmp}_ipv6_hoplimit
You can use the above mdb(1) walker to see if one of your subnets has been subject to lower IPv6 hoplimits via Router Advertisements.  An RA message with that field set to 0 means don't change, and that's what usually is sent.  If it's set to any other of 1-255, the ill_max_hops field will reflect the most recent receipt of this.  If you have multiple nics on multiple subnets (zoned or non-zoned) you may see varying values.
Apparently some other platforms act on RA hop limits more aggressively than illumos does.  They are fixing this problem.  Starting with the fix for 5729, we are more vocal about seeing such RA hop limits, and have "mdb -p `pgrep in.ndpd`" tunable globals to help sysadmins detect such oddness.
I will now quote from CERT:
----------
Essentially, RFC 3756
Section 4.4 lists some possible attacks that can be done regarding router discovery operations in IPv6. The reporter's attack appears to be a variant of these already well-known attacks. This fake RA attack in IPv6 has been compared to ARP poisoning in IPv4. In other words, this is a known problem due to rogue nodes on an internal network, and likely not a severe software vulnerability as originally thought. CERT/CC thanks vendors that helped provide this analysis.
Furthermore, this information was also submitted by the reporter to several public mailing lists before contacting us. For example, see discussion is available at
and
. Therefore, information on this patch is already fairly public at this point.
Given the circumstances, we will therefore remove our embargo, and allow vendors to address this issue more publicly if desired.
----------
So if you see a CERT notice about IPv6 Router Advertisements and hop limits appear in the near future, you know that I've already performed our due diligence on this account.
For the record, I'm now officially a CERT point of contact, so I see things like this occasionally.  I hope to do right by illumos with this responsibility.  In the future, if I have a problem that I need help with, I know I can count on the community to help.  (Some of you already have helped, and without throwing you under the bus, THANK YOU!)
Happy IPv6-ing!
Dan McDonald -- OmniOS Engineering
-------------------------------------------
illumos-discuss
Archives: https://www.listbox.com/member/archive/182180/=now
RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175541-02f10c6f
Modify Your Subscription: https://www.listbox.com/member/?member_id=21175541&id;secret=21175541-29e3e0ee
Powered by Listbox: http://www.listbox.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sonicle.com/pipermail/xstreamos-discuss/attachments/20150331/61e0cd4b/attachment.html>