NetworkManager IPv6 DAD lifetime behavior introduce security risk

Hi David,

Thanks for reporting this and helping to make open source software more secure.

What is the "IPv6 certification test"? Can we get access to it or at least the "two DAD test cases (3.2.5c and d)"

What version of Ubuntu/network-manager have been tested? If not tested please test the development release as well and it's n-m of 1.12.4-1ubuntu1.

Does this issue need to be kept private or is it a generally known issue?

Have you reported it to other Linux distros or network-manager upstream (https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues) ?

Thanks!
Bryan

Hi Bryan,

Here is the information for those 2 cases:

v6LC_3_2_4_C - Prefix Lifetime less than the Remaining Lifetime and the Remaining Lifetime is less than 2 hours
http://fnet.sourceforge.net/ip6_tests/Self_Test_5-0-0/addr.p2/v6LC_3_2_4_C.html

RA_gt2lt2 - Prefix Lifetime less than 2 hours and the Remaining Lifetime is greater than 2 hours
http://fnet.sourceforge.net/ip6_tests/Self_Test_5-0-0/addr.p2/RA_gt2lt2.html

I think I chose private by mistake, and I have changed it to public.
I haven't reported it to other Linux distro or network-manager upstream. If doing so can get more visibility, I will do it.

Thanks and Regards,
-David

Spoke to upstream. They will look in to this and get it fixed. I've asked David to log it upstream and we can link to that here.

We should look at backport the fixes and SRUing to Bionic.

Upstream issue reported:

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/57

Thanks for looking into it.

Upstream fix: https://github.com/NetworkManager/NetworkManager/pull/228

This will be ported to all supported releases soon, so we should be able to pick that up easily enough.

Investigation found that DAD timeout for IPv6 seems to be not implemented for network manager [1]. And only support up to IPv4. It looks like a limitation but couldn't find any writing confirmation for this limitation.

[1] https://developer.gnome.org/NetworkManager/stable/settings-ipv6.html

Thank you Will!
We are running Ubuntu 16.04 with network-manager version 1.2.6, that will be fixed too?

It should be yes, but I'd like to look at the changes needed before going any further. Looking at the diff, it doesnt look too bad for the current version on n-m. With some luck it will be backported by upstream, if not we'll take a look.

Release of Cosmic is next week, so I dont think this will get any traction until that's out the door, but then we will get on the case.

The issue was fixed in 1.12.6 which has been uploaded to disco, https://launchpad.net/ubuntu/+source/network-manager/1.12.6-0ubuntu1

This is fixed in Disco; I opened Bionic and Cosmic tasks since the bug needs to be open in some way for it to be tracked.

The bionic fix is included in the upstream 1.10.14 release:
https://launchpad.net/ubuntu/+source/network-manager/1.10.14-0ubuntu1

1.12.6 has the fix for cosmic.

SRUing the newer version failed since it changed behaviour in some configuration which created issue for existing users.

There isn't anyone currently working on resolving those issues so it's more realistic to untarget from Bionic.

If the problem really needs to be resolved in that serie best to go through the rls-bb-incoming nomination process again.