From nobody@FreeBSD.org  Wed Feb  8 21:43:00 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 41456106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  8 Feb 2012 21:43:00 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 2F4BC8FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  8 Feb 2012 21:43:00 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q18Lgx5f003591
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 8 Feb 2012 21:42:59 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q18Lgxf8003583;
	Wed, 8 Feb 2012 21:42:59 GMT
	(envelope-from nobody)
Message-Id: <201202082142.q18Lgxf8003583@red.freebsd.org>
Date: Wed, 8 Feb 2012 21:42:59 GMT
From: Eugen Konkov <kes-kes@yandex.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: interface still accept packets even without IP address
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         164914
>Category:       bin
>Synopsis:       interface still accept packets even without IP address
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-net
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 08 21:50:08 UTC 2012
>Closed-Date:    Sun Feb 19 22:23:43 UTC 2012
>Last-Modified:  Sun Feb 19 22:23:43 UTC 2012
>Originator:     Eugen Konkov
>Release:        9.0-CURRENT
>Organization:
ISP FreeLine
>Environment:
# uname -a
FreeBSD  9.0-CURRENT FreeBSD 9.0-CURRENT #4: Fri Jun 10 01:30:12 UTC 2011     @:/usr/obj/usr/src/sys/PAE_KES  i386

>Description:
SERVER2

# ifconfig vlan70
vlan70: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 00:30:67:9d:8f:26
        inet6 fe80::230:67ff:fe9d:8f26%vlan70 prefixlen 64 scopeid 0xa
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 70 parent interface: re0
# ifconfig vlan408
vlan408: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3<RXCSUM,TXCSUM>
        ether 00:30:67:9d:8f:26
        inet 10.11.19.53 netmask 0xfffffff8 broadcast 10.11.19.55
        inet6 fe80::230:67ff:fe9d:8f26%vlan408 prefixlen 64 scopeid 0x22
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 408 parent interface: re0
# tcpdump -n -i vlan70
tcpdump: WARNING: vlan70: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan70, link-type EN10MB (Ethernet), capture size 65535 bytes
23:29:17.882594 IP 10.7.18.90 > 10.11.19.54: GREv1, call 52218, seq 1416932, ack 2420899, length 60: IP 192.168.24.17.50762 > 88.81.253.182.80: Flags [.], ack 3084092892, win 16544, length 0
23:29:18.358144 CDPv1, ttl: 120s, Device-ID 'unknown', length 74
23:29:18.532881 IP 10.7.18.90 > 10.11.19.54: GREv1, call 52218, seq 1416933, ack 2420910, length 60: IP 192.168.24.17.50762 > 88.81.253.182.80: Flags [.], ack 2761, win 16560, length 0
^C
3 packets captured
14 packets received by filter
0 packets dropped by kernel
# tcpdump -n -i vlan408
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan408, link-type EN10MB (Ethernet), capture size 65535 bytes
23:32:18.587860 IP 10.11.19.53.22 > 10.10.1.40.2897: Flags [P.], seq 2116288012:2116288208, ack 3239226069, win 65535, length 196
23:32:18.588346 IP 10.10.1.40.2897 > 10.11.19.53.22: Flags [.], ack 196, win 65219, length 0
23:32:18.613808 IP 10.7.18.90 > 10.11.19.54: GREv1, call 52218, seq 1426479, ack 2439179, length 60: IP 192.168.24.17.50836 > 38.113.165.86.443: Flags [F.], seq 659475120, ack 3124981189, win 16559, length 0
23:32:18.771754 IP 10.7.18.90 > 10.11.19.54: GREv1, call 52218, seq 1426480, ack 2439181, length 60: IP 192.168.24.17.50836 > 38.113.165.86.443: Flags [.], ack 2, win 16559, length 0
23:32:18.780879 ARP, Request who-has 10.11.19.51 tell 10.11.19.52, length 42
23:32:18.894536 IP 10.7.18.90 > 10.11.19.54: GREv1, call 52218, seq 1426481, ack 2439188, length 60: IP 192.168.24.17.50824 > 88.81.253.184.80: Flags [.], ack 1476863292, win 16560, length 0
23:32:18.898075 IP 10.7.18.90 > 10.11.19.54: GREv1, call 52218, seq 1426482, length 56: IP 192.168.24.17.50824 > 88.81.253.184.80: Flags [.], ack 2761, win 16560, length 0
23:32:18.919120 IP 10.7.18.90 > 10.11.19.54: GREv1, call 52218, seq 1426484, ack 2439192, length 60: IP 192.168.24.17.50824 > 88.81.253.184.80: Flags [.], ack 8281, win 16560, length 0
23:32:18.939557 IP 10.7.18.90 > 10.11.19.54: GREv1, call 52218, seq 1426486, ack 2439196, length 60: IP 192.168.24.17.50824 > 88.81.253.184.80: Flags [.], ack 13801, win 16560, length 0
23:32:18.940032 IP 10.7.18.90 > 10.11.19.54: GREv1, call 52218, seq 1426487, length 56: IP 192.168.24.17.50824 > 88.81.253.184.80: Flags [.], ack 16561, win 16560, length 0
23:32:18.961147 IP 10.7.18.90 > 10.11.19.54: GREv1, call 52218, seq 1426488, ack 2439200, length 60: IP 192.168.24.17.50824 > 88.81.253.184.80: Flags [.], ack 19321, win 16560, length 0
23:32:18.978187 IP 10.7.18.90 > 10.11.19.54: GREv1, call 52218, seq 1426490, ack 2439201, length 60: IP 192.168.24.17.50824 > 88.81.253.184.80: Flags [.], ack 24841, win 16560, length 0


>How-To-Repeat:
..............CLIENT
.........vlan70:10.7.18.90
........../...............\
SERVER1....................SERVER2
vlan70:10.7.18.2          vlan70:10.7.18.1
vlan408:10.7.19.54<-->vlan408:10.7.19.53

If I move IP 10.7.18.1 from SERVER2:vlan70 to SERVER1:vlan70

..............CLIENT
.........vlan70:10.7.18.90
........../...............\
SERVER1....................SERVER2
vlan70:10.7.18.2          vlan70:NOIP_HERE_NOW
vlan70:10.7.18.1
vlan408:10.7.19.54<-->vlan408:10.7.19.53

Traffic still flows through SERVER2

This is very interesting feature or maybe a bug? which touch security
issues:

some host on LAN can send packets to MAC address of FreeBSD server, now
server accept packets even if frame is not in its subnet and pass them
further %-)
>Fix:


>Release-Note:
>Audit-Trail:

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: Eugen Konkov <kes-kes@yandex.ru>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/164914: interface still accept packets even without IP
 address
Date: Thu, 9 Feb 2012 15:35:20 +0400

 E> This is very interesting feature or maybe a bug? which touch security
 E> issues:

 E> some host on LAN can send packets to MAC address of FreeBSD server,
 E> now server accept packets even if frame is not in its subnet and pass
 E> them further %-)
 
 This is not a bug, but the way IP and Ethernet works. If a box receives
 a frame that has its linklevel address, then the frame is passes to
 appropriate protocol layer. And if IP protocol receives a packet that
 is destined to some address we don't have, and forwarding is enabled,
 then the packet is forwarded.
 
 -- 
 Totus tuus, Glebius.
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Sun Feb 19 22:22:31 UTC 2012 
State-Changed-Why:  
Apparently this is by design. 


Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Feb 19 22:22:31 UTC 2012 
Responsible-Changed-Why:  

http://www.freebsd.org/cgi/query-pr.cgi?pr=164914 
>Unformatted:
