lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Jul 2009 12:00:26 +0300 From: Denys Fedoryschenko <denys@...p.net.lb> To: "Eric W. Biederman" <ebiederm@...ssion.com> Cc: netdev@...r.kernel.org, David Miller <davem@...emloft.net> Subject: Re: [RFC] arp announce, arp_proxy and windows ip conflict verification On Wednesday 01 July 2009 09:58:36 Eric W. Biederman wrote: > > What problem were you originally trying to solve? > > Having a proxy arp gateway reply to addresses it routes is proper > behaviour. > > There are some aspects of RFC 5227 ipv4 address conflict detection that > we could implement in a better fashion. In particular the entirety > of handling the pathological case of someone using one of our ip > addresses in an arp message and replying to them to defend ourselves. > > Your changes seem aimed at having the linux kernel not reply to > gratuitous arps, when according to our configuration the sender is > misconfigured. You seem to want linux not to defend itself in cases > where it should. Making us even less compliant with RFC 5227. > > Eric It is still answering to gratuitous arp and handling the case!!! But why patch was created, to NOT reply in case we have proxy_arp set, and we have default gateway. In this case, for example, Windows XP wont work at all in network where is Linux host with proxy_arp=1 installed. Because Linux will ALWAYS answer to arp requests. Just only one case i miss (which is not defined in RFC by the way), that some software use this packet to update ARP tables on other hosts. And i sent patches for that. But imho they should use more legitimate ARP packets for that. I did real testing even for my patch, and sure i sent patch only after that. ip addr ..... 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:1e:8c:89:78:af brd ff:ff:ff:ff:ff:ff inet 10.0.1.21/29 brd 10.0.1.23 scope global eth0 I run windows vista (it sets correctly sip as 0.0.0.0) home ipv4 # tcpdump -ni eth0 11:48:11.416790 ARP, Request who-has 10.0.1.21 tell 0.0.0.0, length 46 11:48:11.416797 ARP, Reply 10.0.1.21 is-at 00:1e:8c:89:78:af, length 28 2.6.30 vanilla (sure patch is there) handling case correctly. The case i was trying to handle - proxy arp. Windows XP will be permanently disabled on reboot in case of proxy_arp enabled on Linux machine, and this Linux have default gateway (means answer to all proxy_arp). This is XP (no conflict) 11:51:28.297633 ARP, Request who-has 10.0.0.5 tell 10.0.0.5, length 46 11:51:29.283672 ARP, Request who-has 10.0.0.5 tell 10.0.0.5, length 46 11:51:30.284210 ARP, Request who-has 10.0.0.5 tell 10.0.0.5, length 46 This is Linux 2.6.30 with patch applied, and Windows XP, handling correctly IP conflict. 11:53:10.440541 ARP, Request who-has 10.0.0.1 tell 10.0.0.1, length 46 11:53:10.440551 ARP, Reply 10.0.0.1 is-at b6:45:02:01:2b:b6, length 28 11:53:10.440796 ARP, Request who-has 10.0.0.1 tell 10.0.0.1, length 46 11:53:10.440799 ARP, Reply 10.0.0.1 is-at b6:45:02:01:2b:b6, length 28 11:53:10.466743 ARP, Request who-has 10.0.0.1 tell 10.0.0.1, length 46 11:53:10.466752 ARP, Reply 10.0.0.1 is-at b6:45:02:01:2b:b6, length 28 11:53:10.466976 ARP, Request who-has 10.0.0.1 tell 10.0.0.1, length 46 11:53:10.466979 ARP, Reply 10.0.0.1 is-at b6:45:02:01:2b:b6, length 28 So WITH patch ip conflict detection working. And for sure it will work: <------>if (sip == 0 || tip == sip) { // Yes, sip == tip <------><------>if (arp->ar_op == htons(ARPOP_REQUEST) && // Yes it is request <------><------> inet_addr_type(net, tip) == RTN_LOCAL && // Yes this ip i have on my own host <------><------> !arp_ignore(in_dev, sip, tip)) // No i won't ignore this <------><------><------>arp_send(ARPOP_REPLY, ETH_P_ARP, sip, dev, tip, sha, <------><------><------><------> dev->dev_addr, sha); // Send the host who sent gratuitous ip - that i am using it already. <------><------>goto out; <------>} -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists