lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 11 Nov 2013 08:39:23 +0100
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Duan Jiong <duanj.fnst@...fujitsu.com>
Cc:	David Miller <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: [PATCH] ipv6: match those routes that have different metirc

On Mon, Nov 11, 2013 at 03:16:24PM +0800, Duan Jiong wrote:
> 于 2013年11月11日 14:07, Hannes Frederic Sowa 写道:
> > On Mon, Nov 11, 2013 at 11:00:53AM +0800, Duan Jiong wrote:
> >> Now the kernel only match those routes that have the same
> >> metirc, so if those routes are non-reachable, then the packets
> >> can't be sent out.
> >>
> >> But according to the rfc 4191 section 3.2, if the best route
> >> points to a non-reachable route, the next best route should be
> >> consulted. So the kernel should not only match those routes that
> >> have minimum metric, and should also match others.
> > 
> > I am not so keen on chaning how metrics get handled. Please note that
> > metrics are a pure linux-centric concept and are not standardized. I bet
> > some people depend on how these work and have the same semantic as IPv4
> > ones because they use the same code in their routing daemon backends.
> > 
> 
> I have a question. If we only match those routes that have lowest metric, others
> will never be used, so why the other routes are inserted to the router table?

Metrics could get used by software which manages dynamic interfaces, e.g.
vpn/ppp software, to make sure they have priority over the current routing
settings.  If we don't respect metrics there, this could lead to security
problems. (if the interface vanishes, the other route gets active again).

It could also be used by dynamic routing software, e.g. is-is, ospf, bgp and
does reflect the admins choice where traffic should get routed. Some routing
daemon apply the whole routing table to the fib. If we don't respect metrics
there, they could lose money, because maybe they pay for the traffic.
They really get interesting if you have more than one routing protocol active
at the same time. ;)

Greetings,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ