Traceroute / ICMP issue after 24.7.1 update

[franco]

I don't know. It doesn't feel like a course correction patching the issue that allegedly doesn't exist without further comment and a single test case.

No "Tested by:", no "Reviewed by:" on all of these including the latest. I'm going to contact the researchers for clarification on the testing process. Maybe someone can answer that for me.


Cheers,
Franco

[newsense]

Probably two of the bigger questions they need to have an answer for are:

1) Is this SA still a valid concern ? If not will it be retracted ?

2) IF the SA still stands, is it safe for all the machines on the internet running 13 or 14 releases to be passing IPv6 traffic - if this problematic SA hasn't beed applied yet ?

[doktornotor]

You will need to be more specific. The commit has 4 additional commits on master. One is a ND test and one is a cleanup. The other two don't inspire confidence in the previous work. And the OpenBSD 2023 commit is still missing.

Hey, this one looks like a very universal workaround for all the regressions introduced.  (Though, those ICMP sloppy states remain completely undocumented in FreeBSD as discussed previously, so not sure that the work is complete at all...)

[franco]

> 1) Is this SA still a valid concern ? If not will it be retracted ?

Given the amount of work and grief sunk into this I think not. There was no one to dispute this in FreeBSD or nobody cares either way.

> 2) IF the SA still stands, is it safe for all the machines on the internet running 13 or 14 releases to be passing IPv6 traffic - if this problematic SA hasn't beed applied yet

I will not comment on "safe" but I will say it works however wonky that may be.

As seen in the other thread if you have a lot of devices you will have a lot of ND drops and spurious state creation for no apparent benefit. Unsolicited advertise are likely still broken. IPv6 will silently drop and cause intermittent packet loss for up to roughly 20-40 seconds depending on the behaviour of the devices around the FreeBSD router.

https://github.com/openbsd/src/commit/49f39043a02d

But I mentioned all of that to the relevant authors.


Cheers,
Franco

[doktornotor]

1) Is this SA still a valid concern ?

My personal take on this is that responding to ICMP echo requests is not a valid security concern, since  attempting to block that traffic does introduce any additional security in the first place. (See that longest paragraph  in my rant).

🤷‍♂️