HomeFreeBSD

icmp6: Improve validation of PMTU

Description

icmp6: Improve validation of PMTU

Currently we accept any pmtu between IPV6_MMTU(1280B) and the link mtu.
In some network topologies could allow a bad actor to perform a DOS attack.
Contrary to IPv4 in IPv6 oversized packets are dropped, and a ICMP
PACKET_TOO_BIG message is sent back to the sender.
After receiving an ICMPv6 packet with pmtu bigger than the
current one the victim will start sending frames that will be dropped
a router with reduced MTU.
Although it will eventually receive another message with correct pmtu,
an attacker can still just inject their spoofed packets frequently
enough to overwrite the correct value.
This issue is described in detail in RFC8201, section 6.
Fix this by checking the current pmtu, and accepting the new one only
if it's smaller.

Approved by: mw(mentor)
Reviewed by: tuexen
MFC after: 1 week
Sponsored by: Stormshield
Obtained from: Semihalf
Differential Revision: https://reviews.freebsd.org/D35871

Details

Provenance
kdAuthored on Jul 20 2022, 7:22 AM
Reviewer
tuexen
Differential Revision
D35871: icmp6: Improve validation of PMTU
Parents
rGd2c0ec8d19da: stand: Spell License correctly
Branches
Unknown
Tags
Unknown