| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 3 Mar 2008 11:19:40 +0100 From: Remi Denis-Courmont <rdenis@...phalempin.com> To: Juha-Matti Tapio <jmtapio@...kkotelakka.net> Cc: yoshfuji@...ux-ipv6.org, netdev@...r.kernel.org Subject: Re: [PATCH 2/2] [IPV6]: Fix source address selection for ORCHIDaddresses On Sun, 2 Mar 2008 23:59:54 +0200, Juha-Matti Tapio <jmtapio@...kkotelakka.net> wrote: >> Then, what you should do is to appropriately configure your policy >> (label) table via the addrlabel subsystem. > > That would propably mean doing something like merging labels 1 (::/0), > 2 (6to4) and 6 (Teredo) together? I suppose that could be possible, > since after all there is also the workaround of just getting separate > 6to4 addresses for all the necessary interfaces. Please do NOT do this. 6to4 and Teredo have separate labels for a reason: 6to4-to-6to4 is reliable, and Teredo-to-Teredo is fairly OK. 6to4-to-native often fails, and Teredo-to-native very often fails due to missing, congested or even mis-configured relays between the native IPv6 bone, and these two transition mechanism. These labels are there to try to force native-native, 6to4-6to4, IPv4-IPv4, Teredo-Teredo (in that priority order) before trying mismatching pairs (native/6to4, native/Teredo, 6to4/Teredo). The Linux kernel currently has this settings basically _right_. Unfortunately, glibc has the settings _wrong_ (IMHO): while it has the same labels has the kernel, the way glibc does private IPv4 addresses scoping breaks at Rule 2, which bypasses the IPv6 transition mechanism labels at Rule 5. And will also break the ORCHID label when it is added :( That's a different story, but you may want to make that is not where you problems are coming from. > Moving the check to rule 0 would be ok by me. I personally prefer this > option. Configuring the labels manually requires quite a lot of > knowledge about addresses from the admin. And worst, glibc does not sync its label table with the kernel, so you have do replicate the settings. -- RĂ©mi Denis-Courmont http://www.remlab.net -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists