lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 26 Feb 2009 13:38:52 -0500
From:	Vlad Yasevich <vladislav.yasevich@...com>
To:	Jay Vosburgh <fubar@...ibm.com>
CC:	Brian Haley <brian.haley@...com>,
	David Miller <davem@...emloft.net>, arvidjaar@...l.ru,
	chuck.lever@...cle.com, tytso@....edu, Valdis.Kletnieks@...edu,
	rjw@...k.pl, netdev@...r.kernel.org,
	bonding-devel@...ts.sourceforge.net, jamagallon@....com,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] bonding: move IPv6 support into a separate kernel
 module

Jay Vosburgh wrote:
> Brian Haley <brian.haley@...com> wrote:
> 
>> David Miller wrote:
>>> From: Jay Vosburgh <fubar@...ibm.com>
>>> Date: Wed, 25 Feb 2009 14:10:58 -0800
>>>
>>>> 	I've been fooling with the disable_ipv6 sysctl, and one issue is
>>>> that, at least on the distro I'm testing on (SLES), it's not picked up
>>>> from /etc/sysctl.conf at boot time (presumably because ipv6 isn't loaded
>>>> yet, although I haven't really checked).
>>> Correct, that's the problem.
>>>
>>> We could create a blocker bitmap.  Two sysctls, "block_af" and
>>> "unblock_af".  You write the AF_foo value for the protocol there and
>>> it sets or clears the assosciated bit in the internal blocker bitmap.
>>>
>>> Things like sys_socket() et al. key off of this.
>> I'm open to suggestions at this point in time, I just don't see how this
>> will solve the bonding problem since it still wouldn't load, right?
> 
> 	It would permit users to load ipv6 (thus allowing bonding to
> load), but prevent ipv6 from actually doing anything.  (because
> sys_socket, e.g., won't open an ipv6 socket if block_af includes ipv6).
> 
> 	Actually, __sock_create might be the better place to put the
> hook for "create a socket"; there would probably need to be a check
> within the protocol code as well, so that, e.g., ipv6 addrconf won't run
> if AF_INET6 is disabled.

But addrconf_init doesn't care about AF_INET6 sockets...

Additionally, why is it absolutely necessary to block AF_INET6 sockets.
I never understood that requirement?

I can see people blocking IPv6 from loading because the module automatically
configures IPv6 addresses and thus opens another communication channel that
may not be monitored/controlled.  AF_INET6 sockets, on the other hand, are
simply relegated to IPv4 protocol, when there are no IPv6 addresses.

> 
>> Dave - do you feel I need to fix this regression?  If not I can try to
>> work on this AF blocker thing.  My only other thought if we want to fix
>> this is to have the IPv6 module register these five functions into an ops
>> structure that bonding can call.  It doesn't fix SCTP, qeth, etc, but it
>> gets these "blacklist ipv6" configs working again, and gets me out of the
>> crosshairs :)
> 
> 	I think the problem (customers want to disable ipv6 and use
> bonding, sctp, qeth, whatever) needs to be fixed.  If it's not, I'm sure
> I'll be getting lots of cards and letters from customers.
> 
> 	I don't think the solution needs to preserve the current
> solution (preventing the ipv6 module from loading).  Ipv6 being unusable
> should be sufficient.  Except perhaps in an embedded environment, but
> they're probably in a position to compile their kernel without ipv6.

Yes.  The system must not be reachable using IPv6.

> 
> 	Another possible resolution is to modify the initscripts in the
> distros to perform sysctl -p (read sysctls from /etc/sysctl.conf) after
> ipv6 is loaded, so that the disable_ipv6 sysctl can be set.  That seems
> like more work, and is limited to ipv6, so I don't see it as being
> better than a "kernel shut off AF_xxx" type of solution.

This not enough.  You need to disable parts of IPv6 at module initiation
time and the only way to do that is with a parameter.  Otherwise, you will
have a small window of time when the system has ipv6 configured and is potentially
vulnerable.

We can have our own sysfs parameter calls that can turn the functionality
back on to get back to a fully functional ipv6 implementation.

-vlad

> 
> 	-J
> 
> ---
> 	-Jay Vosburgh, IBM Linux Technology Center, fubar@...ibm.com
> 

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ