lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 12 Jan 2016 18:57:42 +0300
From:	Stas Sergeev <stsp@...t.ru>
To:	Hannes Frederic Sowa <hannes@...essinduktion.org>
Cc:	netdev <netdev@...r.kernel.org>
Subject: Re: Q: bad routing table cache entries

12.01.2016 18:34, Hannes Frederic Sowa пишет:
> On 29.12.2015 11:54, Stas Sergeev wrote:
>> Hello.
>>
>> I was hitting a strange problem when some internet hosts
>> suddenly stops responding until I reboot. ping to these
>> host gives "Destination Host Unreachable". After the
>> initial confusion, I've finally got to
>> ip route get
>> and got something quite strange.
>>
>>
>> Example for GOOD address (the one that I can ping):
>>
>> ip route get 91.189.89.237
>> 91.189.89.237 via 192.168.8.1 dev eth0  src 192.168.10.202
>>      cache
>>
>>
>> Example for BAD address (the one that stopped responding):
>>
>> ip route get 91.189.89.238
>> 91.189.89.238 via 192.168.0.1 dev eth0  src 192.168.10.202
>>      cache <redirected>
> 
> I tried to understand this thread and now wonder why this redirect route isn't there always. Can you please summarize again why this shouldn't happen? It looks totally fine to me from the
> configuration of your router and the subnet masks.
http://www.spinics.net/lists/netdev/msg358200.html
Sowmini Varadhan explains:
---
According to rfc1812 (pg 82-84)

   Routers MUST NOT generate a Redirect Message unless all the following
   conditions are met:

   o The packet is being forwarded out the same physical interface that
      it was received from,

   o The IP source address in the packet is on the same Logical IP
      (sub)network as the next-hop IP address, and

   o The packet does not contain an IP source route option.

The second condition seems to have been violated by the router.
---

And he also shows the tunable that stops the router from violating this.
Good that linux can be at least tuned to do the right thing. :)

The fewer explained question is why the bad route is ever accepted.
This is what actually looks risky.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ