| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Mar 2014 03:02:36 -0500 (EST) From: Jan Stancek <jstancek@...hat.com> To: Linus Lüssing <linus.luessing@....de> Cc: netdev@...r.kernel.org, Florian Westphal <fwestpha@...hat.com>, bridge@...ts.linux-foundation.org Subject: Re: bridge is not forwaring ICMP6 neighbor solicitation to KVM guest ----- Original Message ----- > From: "Linus Lüssing" <linus.luessing@....de> > To: "Jan Stancek" <jstancek@...hat.com> > Cc: netdev@...r.kernel.org, "Florian Westphal" <fwestpha@...hat.com>, bridge@...ts.linux-foundation.org > Sent: Tuesday, 4 March, 2014 1:00:41 AM > Subject: Re: bridge is not forwaring ICMP6 neighbor solicitation to KVM guest > > Hi Jan, > > On Mon, Mar 03, 2014 at 05:45:49PM -0500, Jan Stancek wrote: > > There is also bridge on host B. I assume that doesn't matter > > but I could set up host B without bridge if needed. > > It can matter, but in this case it doesn't :). > > > > What I'm curious about is, whether the guest receives > > > the MLD query and responds with an MLD report. I suspect that > > > either the bridge doesn't get an MLD report and therefore is > > > shutting down the according port or there's a bug in parsing the > > > MLD report in the bridge code. > > > > I'm no expert in this area, but shouldn't neigh. solicit packets > > be forwarded to all ports regardless of any/no MLD reports? > > That's the beauty of IPv6 Neighbor Discovery using these neat > solicited-node multicast addresses :). With IPv4 and ARP > requests there's no other way than flooding. But for IPv6 we know > in advance behind which bridge port someone interested in the > neighbor solicitation message might be (assuming MLD is working, > properly), allowing us to save bandwidth. > > In this case, MLD is not working properly, the main issue is the > following: > > Host B sends broken MLD queries, the source address should be an > IPv6 link-local one, not "100:0:600:0:78fb:100::". MLDv2 mandates > this (see RFC3810, section 5.1.14.: "Source Addresses for > Queries"). > > Though I couldn't find that requirement for MLDv1, Linux ignores > MLDv1 queries with a non-link-local source address, too (see > net/ipv6/mcast.c, igmp6_event_query() ). So Linux never sends an > MLD report in reply to these broken queries. > > > The second "minor" but in this case fatal issue is, that the > bridge code doesn't have this link-local-src check, therefore > kicking the snooping into gear even though it shouldn't because we > don't have a _working_ querier. > > I'm going to make a patch for the bridge code adding this sanity > check. > > > For the broken query, ok, it's your manually crafted query. But > did you see a query with such a bogus source address "in the > wild", too? (I'm curious how urgent this sanity check is) It's real packet I managed to capture during one such occurrence. I'm sending it with small C program over raw socket, but it's byte by byte exact copy of what I captured with tcpdump previously. I'm not sure how that packet came to existence. Based on IPv6 address it came from host B, but all host B was doing at the time was running RHEL6 with couple qemu-kvm instances. KVM guests were set up to use bridge, so I'm assuming if any of them crafted this packet, source IPv6 address would be different. Regards, Jan > > Cheers, Linus > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists