Project

General

Profile

Actions

Bug #8791

closed

Default IPv6 rules do not allow some devices to perform router or neighbor discovery

Added by Jim Pingle about 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Rules / NAT
Target version:
Start date:
08/16/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

RFC 4861 states in section 4.1 that during neighbor discovery a device may use the "unspecified" address if it does not yet have an IPv6 address. pfSense does not currently include that source in the list of sources allowed in the default ICMPv6 internal rules.

      Source Address
                     An IP address assigned to the sending interface, or
                     the unspecified address if no address is assigned
                     to the sending interface.

Section 2.3 states that the "unspecified" address is all zeroes, which compresses to ::

   unspecified address
               - a reserved address value that indicates the lack of an
                 address (e.g., the address is unknown).  It is never
                 used as a destination address, but may be used as a
                 source address if the sender does not (yet) know its
                 own address (e.g., while verifying an address is unused
                 during stateless address autoconfiguration [ADDRCONF]).
                 The unspecified address has a value of 0:0:0:0:0:0:0:0.

So rather than an address on the interface subnet, or link-local, such devices may send from a source of :: to the multicast all-routers destination.

Should be easy to correct by adding one more rule to the list near source:src/etc/inc/filter.inc#L3309 with :: as the source instead of fe80::/10.

Actions

Also available in: Atom PDF