lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Jun 2013 13:49:59 +0000 (UTC) From: Roman Mamedov <rm@...anrm.ru> To: netdev@...r.kernel.org Subject: Re: [PATCH RESEND] ipv6: add anti-spoofing checks for 6to4 and 6rd Hannes Frederic Sowa <hannes <at> stressinduktion.org> writes: > > This patch adds anti-spoofing checks in sit.c as specified in RFC3964 > section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the > checks which could easily be implemented with netfilter. > > Specifically this patch adds following logic (based loosely on the > pseudocode in RFC3964 section 5.2): > > if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default) > and outer_src_v4 != embedded_ipv4 (inner_src_v6) > drop > if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default) > and outer_dst_v4 != embedded_ipv4 (inner_dst_v6) > drop > accept > > To accomplish the specified security checks proposed by above RFCs, > it is still necessary to employ uRPF filters with netfilter. These new > checks only kick in if the employed addresses are within the 2002::/16 or > another range specified by the 6rd-prefix (which defaults to 2002::/16). Hello, This broke access to all 6to4 destinations from any unrelated sit tunnels. For example users of tunnelbroker.net IPv6 tunnel service (2001:470::/32) can no longer communicate with anyone using 6to4 anywhere on the internet. In general, any host, routing to/from which happens to traverse a sit tunnel (using native IPv6 ranges), can no longer successfully send packets to a 6to4 destination. Thanks -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists