IPv6 DoS sysctl man page additions

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

IPv6 DoS sysctl man page additions

Loganaden Velvindron
Hi All,

I'm taking a short break from playing with pf statistics.

There were 4 sysctls added from KAME, but the man pages weren't updated
accordingly.

(Adapted from the NetBSD man page changes)

Feedback welcomed.


Index: lib/libc/gen/sysctl.3
===================================================================
RCS file: /cvs/src/lib/libc/gen/sysctl.3,v
retrieving revision 1.228
diff -u -p -u -p -r1.228 sysctl.3
--- lib/libc/gen/sysctl.3       21 Jan 2014 03:15:45 -0000      1.228
+++ lib/libc/gen/sysctl.3       19 Apr 2014 10:58:30 -0000
@@ -1676,11 +1676,15 @@ The currently defined protocols and name
 .It ip6 Ta hdrnestlimit Ta integer Ta yes
 .It ip6 Ta hlim Ta integer Ta yes
 .It ip6 Ta log_interval Ta integer Ta yes
+.It ip6 Ta maxdynroutes Ta integer Ta yes
 .It ip6 Ta maxfragpackets Ta integer Ta yes
 .It ip6 Ta maxfrags Ta integer Ta yes
+.It ip6 Ta maxifprefixes Ta integer Ta yes
+.It ip6 Ta maxifdefrouters Ta integer Ta yes
 .It ip6 Ta mforwarding Ta integer Ta yes
 .It ip6 Ta multicast_mtudisc Ta integer Ta yes
 .It ip6 Ta multipath Ta integer Ta yes
+.It ip6 Ta neighborgcthresh Ta integer Ta yes
 .It ip6 Ta redirect Ta integer Ta yes
 .It ip6 Ta rr_prune Ta integer Ta yes
 .It ip6 Ta use_deprecated Ta integer Ta yes
@@ -1834,6 +1838,11 @@ IPv6 packet forwarding engine.
 The value indicates the number of
 seconds of interval which must elapse between log output.
 .Pp
+.It Li ip6.maxdynroutes
+Maximum number of routes created by redirect.
+Set it to negative to disable.
+The default value is 4096.
+.Pp
 .It Li ip6.maxfragpackets
 The maximum number of fragmented packets the node will accept.
 0 means that the node will not accept any fragmented packets.
@@ -1846,6 +1855,17 @@ The maximum number of fragments the node
 \-1 means that the node will accept as many fragments as it receives.
 The flag is provided basically for avoiding possible DoS attacks.
 .Pp
+.It Li ip6.maxifprefixes
+Maximum number of prefixes created by route advertisements per interface.
+Set it to negative to disable.
+The default value is 16.
+.Pp
+.It Li ip6.maxifdefrouters 16
+Maximum number of default routers created by route advertisements per
+interface.
+Set it to negative to disable.
+The default value is 16.
+.Pp
 .It Li ip6.mforwarding
 If set to 1, then multicast forwarding is enabled for the host.
 The default is 0.
@@ -1861,6 +1881,11 @@ If set to 0, the ICMPv6 Too Big message
 This variable enables multipath routing for IPv6 addresses.
 If set to 0, only the first route selected will be used for a given
 destination regardless of how many routes exist in the routing table.
+.Pp
+.It Li ip6.neighborgcthresh
+Maximum number of entries in neighbor cache.
+Set to negative to disable.
+The default value is 2048.
 .Pp
 .It Li ip6.redirect
 Returns 1 when ICMPv6 redirects may be sent by the node.
Index: sbin/sysctl/sysctl.8
===================================================================
RCS file: /cvs/src/sbin/sysctl/sysctl.8,v
retrieving revision 1.173
diff -u -p -u -p -r1.173 sysctl.8
--- sbin/sysctl/sysctl.8        28 Oct 2013 21:02:35 -0000      1.173
+++ sbin/sysctl/sysctl.8        19 Apr 2014 10:58:30 -0000
@@ -301,10 +301,14 @@ and a few require a kernel compiled with
 .It net.inet6.ip6.use_deprecated Ta integer Ta yes
 .It net.inet6.ip6.rr_prune Ta integer Ta yes
 .It net.inet6.ip6.v6only Ta integer Ta no
+.It net.inet6.ip6.maxdynroutes Ta integer Ta yes
 .It net.inet6.ip6.maxfrags Ta integer Ta yes
+.It net.inet6.ip6.maxifprefixes Ta integer Ta yes
+.It net.inet6.ip6.maxifdefrouters Ta integer Ta yes
 .It net.inet6.ip6.mforwarding Ta integer Ta yes
 .It net.inet6.ip6.multipath Ta integer Ta yes
 .It net.inet6.ip6.multicast_mtudisc Ta integer Ta yes
+.It net.inet6.ip6.neighborgcthresh Ta integer Ta yes
 .It net.inet6.icmp6.rediraccept Ta integer Ta yes
 .It net.inet6.icmp6.redirtimeout Ta integer Ta yes
 .It net.inet6.icmp6.nd6_prune Ta integer Ta yes

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 DoS sysctl man page additions

Loganaden Velvindron
On Sat, Apr 19, 2014 at 04:04:30AM -0700, Loganaden Velvindron wrote:

> Hi All,
>
> I'm taking a short break from playing with pf statistics.
>
> There were 4 sysctls added from KAME, but the man pages weren't updated
> accordingly.
>
> (Adapted from the NetBSD man page changes)
>
> Feedback welcomed.
>
>

Removed trailing spaces and use "set to" instead of "set it to" based
on feedback from sthen@


Index: lib/libc/gen/sysctl.3
===================================================================
RCS file: /cvs/src/lib/libc/gen/sysctl.3,v
retrieving revision 1.228
diff -u -p -u -p -r1.228 sysctl.3
--- lib/libc/gen/sysctl.3       21 Jan 2014 03:15:45 -0000      1.228
+++ lib/libc/gen/sysctl.3       19 Apr 2014 11:17:13 -0000
@@ -1676,11 +1676,15 @@ The currently defined protocols and name
 .It ip6 Ta hdrnestlimit Ta integer Ta yes
 .It ip6 Ta hlim Ta integer Ta yes
 .It ip6 Ta log_interval Ta integer Ta yes
+.It ip6 Ta maxdynroutes Ta integer Ta yes
 .It ip6 Ta maxfragpackets Ta integer Ta yes
 .It ip6 Ta maxfrags Ta integer Ta yes
+.It ip6 Ta maxifprefixes Ta integer Ta yes
+.It ip6 Ta maxifdefrouters Ta integer Ta yes
 .It ip6 Ta mforwarding Ta integer Ta yes
 .It ip6 Ta multicast_mtudisc Ta integer Ta yes
 .It ip6 Ta multipath Ta integer Ta yes
+.It ip6 Ta neighborgcthresh Ta integer Ta yes
 .It ip6 Ta redirect Ta integer Ta yes
 .It ip6 Ta rr_prune Ta integer Ta yes
 .It ip6 Ta use_deprecated Ta integer Ta yes
@@ -1834,6 +1838,11 @@ IPv6 packet forwarding engine.
 The value indicates the number of
 seconds of interval which must elapse between log output.
 .Pp
+.It Li ip6.maxdynroutes
+Maximum number of routes created by redirect.
+Set to negative to disable.
+The default value is 4096.
+.Pp
 .It Li ip6.maxfragpackets
 The maximum number of fragmented packets the node will accept.
 0 means that the node will not accept any fragmented packets.
@@ -1846,6 +1855,17 @@ The maximum number of fragments the node
 \-1 means that the node will accept as many fragments as it receives.
 The flag is provided basically for avoiding possible DoS attacks.
 .Pp
+.It Li ip6.maxifprefixes
+Maximum number of prefixes created by route advertisements per interface.
+Set to negative to disable.
+The default value is 16.
+.Pp
+.It Li ip6.maxifdefrouters 16
+Maximum number of default routers created by route advertisements per
+interface.
+Set to negative to disable.
+The default value is 16.
+.Pp
 .It Li ip6.mforwarding
 If set to 1, then multicast forwarding is enabled for the host.
 The default is 0.
@@ -1861,6 +1881,11 @@ If set to 0, the ICMPv6 Too Big message
 This variable enables multipath routing for IPv6 addresses.
 If set to 0, only the first route selected will be used for a given
 destination regardless of how many routes exist in the routing table.
+.Pp
+.It Li ip6.neighborgcthresh
+Maximum number of entries in neighbor cache.
+Set to negative to disable.
+The default value is 2048.
 .Pp
 .It Li ip6.redirect
 Returns 1 when ICMPv6 redirects may be sent by the node.
Index: sbin/sysctl/sysctl.8
===================================================================
RCS file: /cvs/src/sbin/sysctl/sysctl.8,v
retrieving revision 1.173
diff -u -p -u -p -r1.173 sysctl.8
--- sbin/sysctl/sysctl.8        28 Oct 2013 21:02:35 -0000      1.173
+++ sbin/sysctl/sysctl.8        19 Apr 2014 11:17:15 -0000
@@ -301,10 +301,14 @@ and a few require a kernel compiled with
 .It net.inet6.ip6.use_deprecated Ta integer Ta yes
 .It net.inet6.ip6.rr_prune Ta integer Ta yes
 .It net.inet6.ip6.v6only Ta integer Ta no
+.It net.inet6.ip6.maxdynroutes Ta integer Ta yes
 .It net.inet6.ip6.maxfrags Ta integer Ta yes
+.It net.inet6.ip6.maxifprefixes Ta integer Ta yes
+.It net.inet6.ip6.maxifdefrouters Ta integer Ta yes
 .It net.inet6.ip6.mforwarding Ta integer Ta yes
 .It net.inet6.ip6.multipath Ta integer Ta yes
 .It net.inet6.ip6.multicast_mtudisc Ta integer Ta yes
+.It net.inet6.ip6.neighborgcthresh Ta integer Ta yes
 .It net.inet6.icmp6.rediraccept Ta integer Ta yes
 .It net.inet6.icmp6.redirtimeout Ta integer Ta yes
 .It net.inet6.icmp6.nd6_prune Ta integer Ta yes

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 DoS sysctl man page additions

Fernando Gont-2
In reply to this post by Loganaden Velvindron
Hi, Loganaden,

NetBSD really had these? I seem to recall that OpenBSD was the only BSD
variant with these (sensible) knobs.

Thanks,
Fernando




On 04/19/2014 08:04 AM, Loganaden Velvindron wrote:

> Hi All,
>
> I'm taking a short break from playing with pf statistics.
>
> There were 4 sysctls added from KAME, but the man pages weren't updated
> accordingly.
>
> (Adapted from the NetBSD man page changes)
>
> Feedback welcomed.
>
>
> Index: lib/libc/gen/sysctl.3
> ===================================================================
> RCS file: /cvs/src/lib/libc/gen/sysctl.3,v
> retrieving revision 1.228
> diff -u -p -u -p -r1.228 sysctl.3
> --- lib/libc/gen/sysctl.3       21 Jan 2014 03:15:45 -0000      1.228
> +++ lib/libc/gen/sysctl.3       19 Apr 2014 10:58:30 -0000
> @@ -1676,11 +1676,15 @@ The currently defined protocols and name
>  .It ip6 Ta hdrnestlimit Ta integer Ta yes
>  .It ip6 Ta hlim Ta integer Ta yes
>  .It ip6 Ta log_interval Ta integer Ta yes
> +.It ip6 Ta maxdynroutes Ta integer Ta yes
>  .It ip6 Ta maxfragpackets Ta integer Ta yes
>  .It ip6 Ta maxfrags Ta integer Ta yes
> +.It ip6 Ta maxifprefixes Ta integer Ta yes
> +.It ip6 Ta maxifdefrouters Ta integer Ta yes
>  .It ip6 Ta mforwarding Ta integer Ta yes
>  .It ip6 Ta multicast_mtudisc Ta integer Ta yes
>  .It ip6 Ta multipath Ta integer Ta yes
> +.It ip6 Ta neighborgcthresh Ta integer Ta yes
>  .It ip6 Ta redirect Ta integer Ta yes
>  .It ip6 Ta rr_prune Ta integer Ta yes
>  .It ip6 Ta use_deprecated Ta integer Ta yes
> @@ -1834,6 +1838,11 @@ IPv6 packet forwarding engine.
>  The value indicates the number of
>  seconds of interval which must elapse between log output.
>  .Pp
> +.It Li ip6.maxdynroutes
> +Maximum number of routes created by redirect.
> +Set it to negative to disable.
> +The default value is 4096.
> +.Pp
>  .It Li ip6.maxfragpackets
>  The maximum number of fragmented packets the node will accept.
>  0 means that the node will not accept any fragmented packets.
> @@ -1846,6 +1855,17 @@ The maximum number of fragments the node
>  \-1 means that the node will accept as many fragments as it receives.
>  The flag is provided basically for avoiding possible DoS attacks.
>  .Pp
> +.It Li ip6.maxifprefixes
> +Maximum number of prefixes created by route advertisements per interface.
> +Set it to negative to disable.
> +The default value is 16.
> +.Pp
> +.It Li ip6.maxifdefrouters 16
> +Maximum number of default routers created by route advertisements per
> +interface.
> +Set it to negative to disable.
> +The default value is 16.
> +.Pp
>  .It Li ip6.mforwarding
>  If set to 1, then multicast forwarding is enabled for the host.
>  The default is 0.
> @@ -1861,6 +1881,11 @@ If set to 0, the ICMPv6 Too Big message
>  This variable enables multipath routing for IPv6 addresses.
>  If set to 0, only the first route selected will be used for a given
>  destination regardless of how many routes exist in the routing table.
> +.Pp
> +.It Li ip6.neighborgcthresh
> +Maximum number of entries in neighbor cache.
> +Set to negative to disable.
> +The default value is 2048.
>  .Pp
>  .It Li ip6.redirect
>  Returns 1 when ICMPv6 redirects may be sent by the node.
> Index: sbin/sysctl/sysctl.8
> ===================================================================
> RCS file: /cvs/src/sbin/sysctl/sysctl.8,v
> retrieving revision 1.173
> diff -u -p -u -p -r1.173 sysctl.8
> --- sbin/sysctl/sysctl.8        28 Oct 2013 21:02:35 -0000      1.173
> +++ sbin/sysctl/sysctl.8        19 Apr 2014 10:58:30 -0000
> @@ -301,10 +301,14 @@ and a few require a kernel compiled with
>  .It net.inet6.ip6.use_deprecated Ta integer Ta yes
>  .It net.inet6.ip6.rr_prune Ta integer Ta yes
>  .It net.inet6.ip6.v6only Ta integer Ta no
> +.It net.inet6.ip6.maxdynroutes Ta integer Ta yes
>  .It net.inet6.ip6.maxfrags Ta integer Ta yes
> +.It net.inet6.ip6.maxifprefixes Ta integer Ta yes
> +.It net.inet6.ip6.maxifdefrouters Ta integer Ta yes
>  .It net.inet6.ip6.mforwarding Ta integer Ta yes
>  .It net.inet6.ip6.multipath Ta integer Ta yes
>  .It net.inet6.ip6.multicast_mtudisc Ta integer Ta yes
> +.It net.inet6.ip6.neighborgcthresh Ta integer Ta yes
>  .It net.inet6.icmp6.rediraccept Ta integer Ta yes
>  .It net.inet6.icmp6.redirtimeout Ta integer Ta yes
>  .It net.inet6.icmp6.nd6_prune Ta integer Ta yes
>
>


--
Fernando Gont
e-mail: [hidden email] || [hidden email]
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1



Reply | Threaded
Open this post in threaded view
|

Re: IPv6 DoS sysctl man page additions

Loganaden Velvindron
On Mon, Apr 21, 2014 at 09:39:55PM -0300, Fernando Gont wrote:
> Hi, Loganaden,
>
> NetBSD really had these? I seem to recall that OpenBSD was the only BSD
> variant with these (sensible) knobs.
>
> Thanks,
> Fernando
>

They copied it from OpenBSD in 2012:

        kernel: Add sysctls to avoid ipv6 DoS attacks (from OpenBSD):
                net.inet6.ip6.neighborgcthresh = 2048
                net.inet6.ip6.maxifprefixes = 16
                net.inet6.ip6.maxifdefrouters = 16
                net.inet6.ip6.maxdynroutes = 4096
                [christos 20120622]

>
>
>
> On 04/19/2014 08:04 AM, Loganaden Velvindron wrote:
> > Hi All,
> >
> > I'm taking a short break from playing with pf statistics.
> >
> > There were 4 sysctls added from KAME, but the man pages weren't updated
> > accordingly.
> >
> > (Adapted from the NetBSD man page changes)
> >
> > Feedback welcomed.
> >
> >
> > Index: lib/libc/gen/sysctl.3
> > ===================================================================
> > RCS file: /cvs/src/lib/libc/gen/sysctl.3,v
> > retrieving revision 1.228
> > diff -u -p -u -p -r1.228 sysctl.3
> > --- lib/libc/gen/sysctl.3       21 Jan 2014 03:15:45 -0000      1.228
> > +++ lib/libc/gen/sysctl.3       19 Apr 2014 10:58:30 -0000
> > @@ -1676,11 +1676,15 @@ The currently defined protocols and name
> >  .It ip6 Ta hdrnestlimit Ta integer Ta yes
> >  .It ip6 Ta hlim Ta integer Ta yes
> >  .It ip6 Ta log_interval Ta integer Ta yes
> > +.It ip6 Ta maxdynroutes Ta integer Ta yes
> >  .It ip6 Ta maxfragpackets Ta integer Ta yes
> >  .It ip6 Ta maxfrags Ta integer Ta yes
> > +.It ip6 Ta maxifprefixes Ta integer Ta yes
> > +.It ip6 Ta maxifdefrouters Ta integer Ta yes
> >  .It ip6 Ta mforwarding Ta integer Ta yes
> >  .It ip6 Ta multicast_mtudisc Ta integer Ta yes
> >  .It ip6 Ta multipath Ta integer Ta yes
> > +.It ip6 Ta neighborgcthresh Ta integer Ta yes
> >  .It ip6 Ta redirect Ta integer Ta yes
> >  .It ip6 Ta rr_prune Ta integer Ta yes
> >  .It ip6 Ta use_deprecated Ta integer Ta yes
> > @@ -1834,6 +1838,11 @@ IPv6 packet forwarding engine.
> >  The value indicates the number of
> >  seconds of interval which must elapse between log output.
> >  .Pp
> > +.It Li ip6.maxdynroutes
> > +Maximum number of routes created by redirect.
> > +Set it to negative to disable.
> > +The default value is 4096.
> > +.Pp
> >  .It Li ip6.maxfragpackets
> >  The maximum number of fragmented packets the node will accept.
> >  0 means that the node will not accept any fragmented packets.
> > @@ -1846,6 +1855,17 @@ The maximum number of fragments the node
> >  \-1 means that the node will accept as many fragments as it receives.
> >  The flag is provided basically for avoiding possible DoS attacks.
> >  .Pp
> > +.It Li ip6.maxifprefixes
> > +Maximum number of prefixes created by route advertisements per interface.
> > +Set it to negative to disable.
> > +The default value is 16.
> > +.Pp
> > +.It Li ip6.maxifdefrouters 16
> > +Maximum number of default routers created by route advertisements per
> > +interface.
> > +Set it to negative to disable.
> > +The default value is 16.
> > +.Pp
> >  .It Li ip6.mforwarding
> >  If set to 1, then multicast forwarding is enabled for the host.
> >  The default is 0.
> > @@ -1861,6 +1881,11 @@ If set to 0, the ICMPv6 Too Big message
> >  This variable enables multipath routing for IPv6 addresses.
> >  If set to 0, only the first route selected will be used for a given
> >  destination regardless of how many routes exist in the routing table.
> > +.Pp
> > +.It Li ip6.neighborgcthresh
> > +Maximum number of entries in neighbor cache.
> > +Set to negative to disable.
> > +The default value is 2048.
> >  .Pp
> >  .It Li ip6.redirect
> >  Returns 1 when ICMPv6 redirects may be sent by the node.
> > Index: sbin/sysctl/sysctl.8
> > ===================================================================
> > RCS file: /cvs/src/sbin/sysctl/sysctl.8,v
> > retrieving revision 1.173
> > diff -u -p -u -p -r1.173 sysctl.8
> > --- sbin/sysctl/sysctl.8        28 Oct 2013 21:02:35 -0000      1.173
> > +++ sbin/sysctl/sysctl.8        19 Apr 2014 10:58:30 -0000
> > @@ -301,10 +301,14 @@ and a few require a kernel compiled with
> >  .It net.inet6.ip6.use_deprecated Ta integer Ta yes
> >  .It net.inet6.ip6.rr_prune Ta integer Ta yes
> >  .It net.inet6.ip6.v6only Ta integer Ta no
> > +.It net.inet6.ip6.maxdynroutes Ta integer Ta yes
> >  .It net.inet6.ip6.maxfrags Ta integer Ta yes
> > +.It net.inet6.ip6.maxifprefixes Ta integer Ta yes
> > +.It net.inet6.ip6.maxifdefrouters Ta integer Ta yes
> >  .It net.inet6.ip6.mforwarding Ta integer Ta yes
> >  .It net.inet6.ip6.multipath Ta integer Ta yes
> >  .It net.inet6.ip6.multicast_mtudisc Ta integer Ta yes
> > +.It net.inet6.ip6.neighborgcthresh Ta integer Ta yes
> >  .It net.inet6.icmp6.rediraccept Ta integer Ta yes
> >  .It net.inet6.icmp6.redirtimeout Ta integer Ta yes
> >  .It net.inet6.icmp6.nd6_prune Ta integer Ta yes
> >
> >
>
>
> --
> Fernando Gont
> e-mail: [hidden email] || [hidden email]
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: IPv6 DoS sysctl man page additions

Mike Belopuhov-5
In reply to this post by Loganaden Velvindron
On 19 April 2014 13:20, Loganaden Velvindron <[hidden email]> wrote:

> On Sat, Apr 19, 2014 at 04:04:30AM -0700, Loganaden Velvindron wrote:
>> Hi All,
>>
>> I'm taking a short break from playing with pf statistics.
>>
>> There were 4 sysctls added from KAME, but the man pages weren't updated
>> accordingly.
>>
>> (Adapted from the NetBSD man page changes)
>>
>> Feedback welcomed.
>>
>>
>
> Removed trailing spaces and use "set to" instead of "set it to" based
> on feedback from sthen@
>
>

OK mikeb