Router Solicitations Sent on vether Without inet6 Being Configured

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Router Solicitations Sent on vether Without inet6 Being Configured

Brian Dicks
Hello,

I noticed while configuring rules for PF that my machine is sending router
solicitations down the vether0 interface, even though I did not enable
inet6 on it. If I run ifconfig, there are no entries for inet6. My setup is
as follows:

I have re0 (motherboard ethernet), re1 (ethernet card with single port),
and re2-re5 (multiport nic). re0, re2, re3, re4, and re5 are bridged with
vether0. re1 is used for egress; all other are for an internal network.

pf is set to pass all in and out of re0, re2, re3, re4, and re5. PF is set
to default deny. There are no rules that are set that allow IPv6 to pass.
IPv6 is enabled for the loopback device.

Even though vether0 does not have inet6 enabled on it, the system is still
sending router solicitations. I get the following in the pflog:

block out on vether0: fe80::xxxx:xxxx:xxxx:xxxx > ff02::2: icmp6: router
solicitation

I replaced the exact LL address with X values, but that address does not
appear in ifconfig.

I was concerned that this could potentially be a security vulnerability,
but I don't have the equipment to test if the solicitation makes it onto
the internal network.

Thank you,
Brian
Reply | Threaded
Open this post in threaded view
|

Re: Router Solicitations Sent on vether Without inet6 Being Configured

Stuart Henderson
On 2018/12/16 19:54, Brian Dicks wrote:

> Hello,
>
> I noticed while configuring rules for PF that my machine is sending router
> solicitations down the vether0 interface, even though I did not enable
> inet6 on it. If I run ifconfig, there are no entries for inet6. My setup is
> as follows:
>
> I have re0 (motherboard ethernet), re1 (ethernet card with single port),
> and re2-re5 (multiport nic). re0, re2, re3, re4, and re5 are bridged with
> vether0. re1 is used for egress; all other are for an internal network.
>
> pf is set to pass all in and out of re0, re2, re3, re4, and re5. PF is set
> to default deny. There are no rules that are set that allow IPv6 to pass.
> IPv6 is enabled for the loopback device.
>
> Even though vether0 does not have inet6 enabled on it, the system is still
> sending router solicitations. I get the following in the pflog:
>
> block out on vether0: fe80::xxxx:xxxx:xxxx:xxxx > ff02::2: icmp6: router
> solicitation
>
> I replaced the exact LL address with X values, but that address does not
> appear in ifconfig.
>
> I was concerned that this could potentially be a security vulnerability,
> but I don't have the equipment to test if the solicitation makes it onto
> the internal network.
>
> Thank you,
> Brian

Seems more likely that it's from some other device on one of your bridged
ports. Check the MAC address (either decoded from the fe80:: v6 address
or run tcpdump -e and check it there) against machines on your network.

Reply | Threaded
Open this post in threaded view
|

Re: Router Solicitations Sent on vether Without inet6 Being Configured

Brian Dicks
In reply to this post by Brian Dicks
Would that be true even though the log says, "block out" for vether0? I
assumed that meant it was exiting vether0 and going into the bridge.

I am planning on trying this out in a VM over the weekend to see if I can
replicate it, because t only seems to happen when IPv6 is not set up on any
adapters in the system. My current system is in operation as a router right
now. I will make instructions as I do it.

-Brian

On Mon, Dec 17, 2018, 7:45 PM Stuart Henderson <[hidden email] wrote:

> On 2018/12/16 19:54, Brian Dicks wrote:
> > Hello,
> >
> > I noticed while configuring rules for PF that my machine is sending
> router
> > solicitations down the vether0 interface, even though I did not enable
> > inet6 on it. If I run ifconfig, there are no entries for inet6. My setup
> is
> > as follows:
> >
> > I have re0 (motherboard ethernet), re1 (ethernet card with single port),
> > and re2-re5 (multiport nic). re0, re2, re3, re4, and re5 are bridged with
> > vether0. re1 is used for egress; all other are for an internal network.
> >
> > pf is set to pass all in and out of re0, re2, re3, re4, and re5. PF is
> set
> > to default deny. There are no rules that are set that allow IPv6 to pass.
> > IPv6 is enabled for the loopback device.
> >
> > Even though vether0 does not have inet6 enabled on it, the system is
> still
> > sending router solicitations. I get the following in the pflog:
> >
> > block out on vether0: fe80::xxxx:xxxx:xxxx:xxxx > ff02::2: icmp6: router
> > solicitation
> >
> > I replaced the exact LL address with X values, but that address does not
> > appear in ifconfig.
> >
> > I was concerned that this could potentially be a security vulnerability,
> > but I don't have the equipment to test if the solicitation makes it onto
> > the internal network.
> >
> > Thank you,
> > Brian
>
> Seems more likely that it's from some other device on one of your bridged
> ports. Check the MAC address (either decoded from the fe80:: v6 address
> or run tcpdump -e and check it there) against machines on your network.
>
>