ipv6: drop fragmented ndisc packets by default (RFC 6980)

This patch implements RFC6980: Drop fragmented ndisc packets by default. If a fragmented ndisc packet is received the user is informed that it is possible to disable the check. Cc: Fernando Gont <fernando@gont.com.ar> Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Hannes Frederic Sowa <hannes@stressinduktion.org> 2013-08-26 19:36:51 -0400
committer: David S. Miller <davem@davemloft.net> 2013-08-29 15:32:08 -0400
commit: b800c3b966bcf004bd8592293a49ed5cb7ea67a9 (patch)
tree: e10eef87a5dc18bc16745adde12dae6ff104240b /Documentation/networking
parent: a3a975b1dfe999f3e5d38d38f2387894c4332d96 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index debfe857d8f9..a2be556032c9 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1349,6 +1349,12 @@ mldv2_unsolicited_report_interval - INTEGER
        MLDv2 report retransmit will take place.
        Default: 1000 (1 second)
+suppress_frag_ndisc - INTEGER
+        Control RFC 6980 (Security Implications of IPv6 Fragmentation
+        with IPv6 Neighbor Discovery) behavior:
+        1 - (default) discard fragmented neighbor discovery packets
+        0 - allow fragmented neighbor discovery packets
 icmp/*:
 ratelimit - INTEGER
        Limit the maximal rates for sending ICMPv6 packets.
author	Hannes Frederic Sowa <hannes@stressinduktion.org>	2013-08-26 19:36:51 -0400
committer	David S. Miller <davem@davemloft.net>	2013-08-29 15:32:08 -0400
commit	b800c3b966bcf004bd8592293a49ed5cb7ea67a9 (patch)
tree	e10eef87a5dc18bc16745adde12dae6ff104240b /Documentation/networking
parent	a3a975b1dfe999f3e5d38d38f2387894c4332d96 (diff)