| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Sep 2013 21:26:08 +0300 From: Andy Johnson <johnsonzjo@...il.com> To: Loganaden Velvindron <loganaden@...il.com>, Andy Johnson <johnsonzjo@...il.com>, netdev <netdev@...r.kernel.org> Subject: Re: ICMP rate limiting in IPv4 but not in IPv6 Hello, My question was out of pure interest and not because of any practical need. However, preparing a patch for supporting rate limiting for ICMPv6 is easy and I am ready to do it. I want to know before, what other people think about it - is it needed ? regards, Andy On Fri, Sep 13, 2013 at 9:17 PM, Hannes Frederic Sowa <hannes@...essinduktion.org> wrote: > On Fri, Sep 13, 2013 at 09:26:11PM +0400, Loganaden Velvindron wrote: >> On Fri, Sep 13, 2013 at 8:44 PM, Hannes Frederic Sowa >> <hannes@...essinduktion.org> wrote: >> > On Fri, Sep 13, 2013 at 06:57:56PM +0300, Andy Johnson wrote: >> >> Hello, >> >> After probing into the RFC of ICMPv6, I am even more confused. >> >> >> >> RFC 4443 says: >> >> >> >> 2.4. Message Processing Rules >> >> ... >> >> >> >> (f) Finally, in order to limit the bandwidth and forwarding costs >> >> incurred by originating ICMPv6 error messages, an IPv6 node MUST >> >> limit the rate of ICMPv6 error messages it originates. >> >> ... >> >> The rate-limiting parameters SHOULD be configurable. >> >> ... >> >> >> >> Any ideas? >> > >> > Well, nobody has implemented it because nobody missed the feature yet. I >> > don't believe there is another reason for that. If you come up with a >> > patch, I am sure it can go upstream. >> > >> > Do you want to try to come up with a patch? We need to be a bit >> > careful regarding neighbor discovery but otherwise this should be >> > relativ straightforward. In the meantime you could also implement such >> > ratelimiting with netfilter. >> >> Careful ? Can you please elaborate ? > > From my memory I knew we have rate limiting for redirect messages, > so I assuemed the rate limiter would be on the ndisc_send* path. But > ratelimiting ndisc redirects is a special case and only happens in > ndisc_send_redirect. I assuemd we would need to special case > icmpv6_xrlim_allow to always pass ndisc ns/na packets, sorry. > > Maybe we could also switch to icmpv6_xrlim_allow for redirects to make > this configurable? > > Btw. for sending redirects we seem to call inet_peer_xrlim_allow once > in the redirect function but also check it in ip6_forward. Maybe we can > drop the check in ip6_forward? > > Greetings, > > Hannes > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists