Bug#782323: linux-image-3.16.0-4-amd64: setting net.ipv6.conf.all.accept_ra to 0 has no effect, thus does not protect against SLAAC attacks

To: Diederik de Haas <didi.debian@cknow.org>, 782323@bugs.debian.org
Subject: Bug#782323: linux-image-3.16.0-4-amd64: setting net.ipv6.conf.all.accept_ra to 0 has no effect, thus does not protect against SLAAC attacks
From: Vincent Lefevre <vincent@vinc17.net>
Date: Wed, 1 Jun 2022 11:36:03 +0200
Message-id: <[🔎] 20220601093603.GA1643015@zira.vinc17.org>
Reply-to: Vincent Lefevre <vincent@vinc17.net>, 782323@bugs.debian.org
In-reply-to: <2773154.yaVYbkx8dN@bagend>
References: <20150410121517.GA9890@ypig.lip.ens-lyon.fr> <2773154.yaVYbkx8dN@bagend> <20150410121517.GA9890@ypig.lip.ens-lyon.fr>

Hi,

On 2022-06-01 00:35:03 +0200, Diederik de Haas wrote:
> This bug was filed against kernel version 3.16 and the chance that
> an upstream kernel developer will devote time to it is ~ 0%, so I'm
> closing this bug.
> 
> If you can reproduce it with
> 
> - the current version in unstable/testing
> - the latest kernel from backports
> 
> please reopen the bug, see https://www.debian.org/Bugs/server-control
> for details.

I cannot test (at least at the moment), but after some search, I may
have an explanation of the issue (this would not be a kernel bug and
the switch to systemd may have fixed it). There's an upstream related
kernel bug

  https://bugzilla.kernel.org/show_bug.cgi?id=11655
  "/proc/sys/net/ipv6/conf/all/* controls don't work"

regarded as invalid, because the user was changing the settings
manually, and it is said that *.all.* variables must be set before
the device is created so that they are taken into account.

Now, in my case, I wasn't setting the variable manually, but via
the /etc/sysctl.conf file. So everything depends on when this file
is read. I've looked at old boot log files, and it was apparently
read via the /etc/init.d/procps script, which could be run rather
late, sometimes after the network was set up! So this was definitely
wrong.

Now, with systemd, there is documentation at

  https://www.freedesktop.org/software/systemd/man/sysctl.d.html

which says in particular:

  The settings configured with sysctl.d files will be applied early
  on boot. The network interface-specific options will also be
  applied individually for each network interface as it shows up in
  the system. (More specifically, net.ipv4.conf.*, net.ipv6.conf.*,
  net.ipv4.neigh.* and net.ipv6.neigh.*).

So, if I understand correctly, the settings are now read much earlier,
and normally before the network interfaces show up. Thus everything
should now be fine.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Bug#782323: linux-image-3.16.0-4-amd64: setting net.ipv6.conf.all.accept_ra to 0 has no effect, thus does not protect against SLAAC attacks
  - From: Diederik de Haas <didi.debian@cknow.org>

Prev by Date: Bug#900799: linux-image-arm64: dts: rockchip: correct voltage selector Firefly-RK3399
Next by Date: Bug#782323: linux-image-3.16.0-4-amd64: setting net.ipv6.conf.all.accept_ra to 0 has no effect, thus does not protect against SLAAC attacks
Previous by thread: Bug#900799: linux-image-arm64: dts: rockchip: correct voltage selector Firefly-RK3399
Next by thread: Bug#782323: linux-image-3.16.0-4-amd64: setting net.ipv6.conf.all.accept_ra to 0 has no effect, thus does not protect against SLAAC attacks
Index(es):
- Date
- Thread