On Nov 16, 2016, at 10:05 AM, Paul Jakma <paul@jakma.org> wrote:
> On Tue, 15 Nov 2016, Alexis Rosen wrote:
>
>> As far as I can tell, this is an editing error of some sort, and in fact you can NOT trigger the issue simply by having an IPv6 address reachable with an ICMP.
>
> Ah, what's the basis for that? I looked at the code, and that security claim seemed possible.
ISTM that the bug is in code which allocates memory to hold contents of a received RA, so if you can't get RAs on the box, you'll never try to allocate a too-small amount of memory. RSes as well?
However, given the difficulty/CPU cost of blocking obscured ICMPv6 packets (see for example RFC7113), maybe drawing the distinction between different types of ICMPs isn't all that useful in a practical security context.
>> Later in the advisory, it says:
>
>>> Usage of Quagga without running the 'zebra' daemon, or no
>>> IPv6 neighbor-discovery are not affected.
>>
>> A quick look at the code also suggests this is so, but my familiarity with this code is basically nil, and it would be very easy for me to get this wrong.
>
> The code concerned is all the zebra daemon, so that's correct. The code that reads the message is only enabled if the zebra RA/ND feature is.
>
> Note, you could have the kernel IPv6 ND/SLAC enabled, and be fine - it's about the zebra feature. That's also not 100% clear.
Yes.
/a
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev
> On Tue, 15 Nov 2016, Alexis Rosen wrote:
>
>> As far as I can tell, this is an editing error of some sort, and in fact you can NOT trigger the issue simply by having an IPv6 address reachable with an ICMP.
>
> Ah, what's the basis for that? I looked at the code, and that security claim seemed possible.
ISTM that the bug is in code which allocates memory to hold contents of a received RA, so if you can't get RAs on the box, you'll never try to allocate a too-small amount of memory. RSes as well?
However, given the difficulty/CPU cost of blocking obscured ICMPv6 packets (see for example RFC7113), maybe drawing the distinction between different types of ICMPs isn't all that useful in a practical security context.
>> Later in the advisory, it says:
>
>>> Usage of Quagga without running the 'zebra' daemon, or no
>>> IPv6 neighbor-discovery are not affected.
>>
>> A quick look at the code also suggests this is so, but my familiarity with this code is basically nil, and it would be very easy for me to get this wrong.
>
> The code concerned is all the zebra daemon, so that's correct. The code that reads the message is only enabled if the zebra RA/ND feature is.
>
> Note, you could have the kernel IPv6 ND/SLAC enabled, and be fine - it's about the zebra feature. That's also not 100% clear.
Yes.
/a
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev