Please implement IPv6 RA mode equivalent to Linux addrconf's accept_ra=1

[DanielG]

Hi Roy,

Debian ifupdown integration again; Currently dhcpcd seems to have no equivalent of accept_ra=1 for protecting against applying addressing/routes from RAs on interfaces that are configured to be forwarding IPv6 traffic.

The concern is that on-LAN attackers could cause a router to redirect traffic this way. Thinking through the real-world implications I find that a LAN attacker could also just perform an ND poisoning attack against the router's IP instead. Nontheless it seems a sensible protection to have -- even if only to protect against accidental misconfiguration.

The kernel seems to have done this from the start (accept_ra=1) and then later addded accept_ra=2 to loosen the restriction, see https://github.com/torvalds/linux/commit/65e9b62d4503849b10bedfc29bff0473760cc597.

Since ifupdown supports both I'm concerned about (silently) allowing dhcpcd as a RA/SLAAC backend which doesn't have support for the same protection on systems that are configured or defaulted to use it. See https://manpages.debian.org/trixie/ifupdown/interfaces.5.en.html#accept_ra~3.

Thanks, --Daniel

[perkelix]

AFAIK dhcpcd sets this depending on whether the config contains an IPv6 delegation or not.

[DanielG]

From what I can see it's always set to zero https://github.com/NetworkConfiguration/dhcpcd/blob/master/src/if-linux.c#L2300 and there is no other code that seems to look at the state of the forwarding sysctls I could find.

--Daniel