lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Jul 2007 06:20:29 -0700 From: David Stevens <dlstevens@...ibm.com> To: Rémi Denis-Courmont <rdenis@...phalempin.com> Cc: davem@...emloft.net, netdev@...r.kernel.org, netdev-owner@...r.kernel.org, YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@...ux-ipv6.org> Subject: Re: [PATCH] IPv6: optionaly validate RAs on raw sockets I think #2 in your list is the right choice, and that has nothing to do with adding a non-standard option (which I completely agree is a bad idea). It looked like you're just checking if the machine is acting as a router or not and if it comes from a link-local address; is that right? Of course, lots of apps already check for "am I a router" and they don't require a new socket option. (!) See everything in the quagga package, for example. And checking the address type in a app is trivial. The previous discussion about "validation" was talking about RA's that are forged, so don't pass IPsec authentication checks. I don't see any reason at all to deliver those to an application (ever), so no non-standard socket option required there. I don't know if those are currently delivered on raw sockets or not, but if they are, I think it's reasonable to have a patch that clones them only after authentication rather than before. Prior discussion used FUD about some monitoring apps needing to see forged RA's. I don't think there really are apps that need to see forged RA's, but if they really want everything, they should use bpf or the like, just as they would need to do to receive, for example, packets with invalid checksums. +-DLS - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists