Fixed
Created: Jan 16, 2017
Updated: Dec 3, 2018
Resolved Date: Mar 19, 2017
Found In Version: 6.0.0.23
Fix Version: 6.0.0.33
Severity: Standard
Applicable for: Wind River Linux 6
Component/s: Kernel, Networking
The purpose of this test is to verify that a host maintains at least two routers in its Default Router List and will switch routers when the router in use fails. Also, verify that a node properly processes the Current Hop Limit field of a Router Advertisement.
IPv6 is not in compliance with latest IPv6 Ready Phase 2 Conformance spec as tested by latest Tahi conformance test on sawgrass device.
Under Section 2: RFC 4861 - Neighbor Discovery for IPv6 (nd.p2), the following failures were found:
a) Under Test v6LC.2.2.11: Default Router Switch (Hosts Only): Default Router Switch.
b) Under Test v6LC.2.2.13: Router Advertisement Processing, Cur Hop Limit: Part B - Non-Zero
There is a problem between the interpretation of RFC4861 section 3 (Dated September 2007) , RFC3756 section 4.2.7 (Dated May 2004) and the IPv6 compliance test.
RFC4861: Neighbor Discovery for IP version 6 (IPv6)
"Router Advertisement messages also contain Internet parameters such
as the hop limit that hosts should use in outgoing packets and,
optionally, link parameters such as the link MTU. This facilitates
centralized administration of critical parameters that can be set on
routers and automatically propagated to all attached hosts."
RFC3756: IPv6 Neighbor Discovery (ND) Trust Models and Threats
"The attacker includes a Current Hop Limit of one or another small
number which the attacker knows will cause legitimate packets to
be dropped before they reach their destination."
The IPv6 compliance test uses a value of 15 as the current hop limit and expects the host to reply with a hop limit of 15 to satisfy RFC4861. RFC3756 is vague as what "another small number" means. The Linux code uses a default hop limit of 64. The wrlinux-6 implemented IPv6 code will not set the hop_limit lower than the configured (default) hop_limit to satisfy the RFC3756 requirements. Therefore the test will not pass.
The testsuite needs to be run for that :
http://www.tahi.org/ume/results/Self_Test_4-0-3/freebsd71.host/nd.p2/report.html
But rather that, a code analysis is enough. See the RFC description, TAHI test description and the wrlinux- IPV6 code : ndisc.c.