lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 09 Jul 2007 21:27:35 -0400
From:	Vlad Yasevich <vladislav.yasevich@...com>
To:	David Miller <davem@...emloft.net>
Cc:	yoshfuji@...ux-ipv6.org, pekkas@...core.fi, netdev@...r.kernel.org
Subject: Re: [PATCH 1/3] [IPV6]: Restore semantics of Routing Header processing.

David Miller wrote:
> From: Vlad Yasevich <vladislav.yasevich@...com>
> Date: Mon, 18 Jun 2007 14:16:29 -0400
> 
>> YOSHIFUJI Hideaki / ������������ wrote:
>>>  					 IPSTATS_MIB_INHDRERRORS);
>>> @@ -465,6 +440,8 @@ looped_back:
>>>  		break;
>>>  #ifdef CONFIG_IPV6_MIP6
>>>  	case IPV6_SRCRT_TYPE_2:
>>> +		if (accept_source_route < 0)
>>> +			goto unknown_rh;
>>>  		/* Silently discard invalid RTH type 2 */
>>>  		if (hdr->hdrlen != 2 || hdr->segments_left != 1) {
>>>  			IP6_INC_STATS_BH(ip6_dst_idev(skb->dst),
>> Do we really want to do this.  The IPv6 working group is bending over backwards
>> in it's attempt to _not_ break MIPv6 while deprecating RH0.  The ability to "break"
>> MIPv6 by disable RH2 without disabling the rest of MIP seems a "bad thing" to me.
> 
> He's just preserving the intended logic of the sysctl, which by
> default does allow RT2 and thus keeps MIPV6 working, so I see no
> reason to be alarmed by this part of the patch.
> 

Yes, but the addition of the sysctl was an overreaction.  Type 2
routing header was never a threat and the capability to disable it
is equivalent to capability of disabling Destionation Option Header
or any other extension IPv6 extension header.

Additionally, the following text is not going through the working
group:

4.2. Firewall Policy


   Blocking all IPv6 packets which carry Routing Headers (rather than
   specifically blocking type 0, and permitting other types) has very
   serious implications for the future development of IPv6.  If even a
   small percentage of deployed firewalls block other types of routing
   headers by default, it will become impossible in practice to extend
   IPv6 routing headers.  For example, Mobile IPv6 [RFC3775] relies upon
   a type-2 RH; wide-scale, indescriminate blocking of Routing Headers
   will make Mobile IPv6 undeployable.

   Firewall policy intended to protect against packets containing RH0
   MUST NOT simply filter all traffic with a routing header; it must be
   possible to disable forwarding of type 0 traffic without blocking
   other types of routing headers.  In addition, the default
   configuration MUST permit forwarding of traffic using a RH other than
   0.

I know that they are applying to this to firewalls, but what we are
doing is providing a really simple nob, not even a firewall rule, that
can just disable RH type 2.

Just seems wrong to me.

-vlad
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ