lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 26 May 2014 00:31:10 +0530
From:	sumanth <sumantk2@...ux.vnet.ibm.com>
To:	netdev@...r.kernel.org
CC:	Srikar Dronamraju <srikar@...ux.vnet.ibm.com>,
	Raghavendra K T <raghavendra.kt@...ux.vnet.ibm.com>
Subject: Re: Some clarification regarding rfc3484 (6724) - Rule 8 Prefer smaller
 scope

On 05/23/2014 06:51 PM, sumanth wrote:
> I had configured my local interface as follows :
> ifconfig eth0 inet6 add fe80::1/64
> ifconfig eth0 inet6 add fec0::1/10
>
> And /etc/hosts contains :
> fe80::2 server.org
> fec0::2 server.org
>
> The above two interfaces in /etc/hosts are not configured. Just to get
> the result from getaddrinfo().
>
> So according to rfc3484 , link-local has lower scope when compared to
> site-local .
> So i think fe80::2 should be returned first and then later fec0::2
>
> In my fedora ( any kernel ), getaddrinfo() is preferring site-local
> first instead of link-local.
>
> So when looking into the getaddrinfo() glibc implementation ,  when two
> or more addresses are available (code flow):
> 1) create a udp datagram socket
> 2) connect to the destination addresses returned from gaih_inet ( not
> sorted yet ). This was done inorder to get the source address from the
> kernel (using ipv6_get_saddr_eval() we get the preferred source for 
> each destination). Actually doesnt need the destination to be reachable .
>  #netstat | grep -i udp
> udp        0      0 fec0::1:34236               server.org:http      
> ESTABLISHED
>
> 3) getsockname to get the source address and store in result combo array.
>
> So __connect() to site-local becomes successfull . But __connect() to
> link-local is not successfull .
>
> Hence rfc3484_sort() in glibc changes the order and prefers site-local
> first .
>
> i.e /* Rule 1: Avoid unusable destinations.
>      We have the got_source_addr flag set if the destination is
> reachable.  */
>   if (a1->got_source_addr && ! a2->got_source_addr)
>
> a1->got_source_addr is false because connect to link-local failed.
>
> So my questions are :
> 1) Can this be a problem somewhere around ip6_datagram_connect() [
> because connect fails ]
> 2) Can this be a problem with the parsing of glibc getaddrinfo ? [
> something like sin6_scope_id being not set properly ]
> 3) Or this is the expected behaviour or am i missing out something ?
I was testing one of the tahi testcase :

  DstSelectRule8.seq - Destination Address Selection
                       Check Rule 8(Prefer smaller scopee)

  Rule 8: Prefer smaller scope.
    If Scope(DA) < Scope(DB), then prefer DA.


The configuration was done as shown above. . So link-local was expected.
But returned value was site-local.

- So while looking into the ip6_datagram_connect(), inorder for the
connect() call  to succeed for link-local address, it requires the
sk_bound_dev_if field of the sk to be set. So this can  be done using
setsockopt( fd, SOL_SOCKET, SO_BINDTODEVICE, device , strlen(device) +
1) from the application side / library. 

- But however __connect in glibc getaddrinfo() fails in case of
link-local ( when there are more than 2 address ) . But  in
getaddrinfo.c,  if we add a patch such that   setsockopt() is done
before __connect() and __getsockname() if it is a LINKLOCAL address,
then link-local address is returned first and then later site-local (
which is expected as per tahi testcase ).  i.e rfc3484_sort() goes into
Rule 8 of destination address selection ( otherwise it returns from
Rule1 as source address of link-local wont be set itself as connect() fails)

- But rfc4472 mentions that  Link-local addresses should never be
published in DNS (whether in
   forward or reverse tree), because they have only local (to the
   connected link) significance.

- So whether rfc4472 means that we shouldnt specify link-local address
in /etc/hosts as well ?
- Or it is expected to return site-local first ?  [ If i do setsockopt()
in glibc before connect() iff link-local address, then link-local is
returned first ]. So if it is expected to return link-local , then it is
a bug...


Any help/suggestions would be good.
>
> Any suggestions ?
>
>
> Thank you,
> Sumanth K

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ