lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 5 Oct 2018 10:50:24 +0200 (CEST)
From:   Mikael Abrahamsson <swmike@....pp.se>
To:     netdev@...r.kernel.org
Subject: question regarding Linux kernel handling of packets received that
 has src address of interface address


Hi,

in the context of this IETF draft:

https://tools.ietf.org/html/draft-patterson-intarea-ipoe-health-05

we're looking into being able to do internet access health check, by 
sending a packet to ourself via the upstream ISP router, to check if 
everything is still alive.

Deployment scenario is as follows:

<Internet> BNG <-L2-> <WAN-RG-LAN>

For the normal deployment scenario, the WAN address of the RG (residential 
gateway) will have both IPv4 and IPv6 packets.

So let's say in this case that WAN has 100.64.0.2 address and BNG has 
100.64.0.1 address. For IPv6 they have 2001:db8::2 and ::1 respectively, 
and RG has prefix 2001:db8:100::/56 routed to 2001:db8::2.

On the RG we would take the mac address of the BNG by looking at the 
100.64.0.1 ARP entry, look at our own WAN mac address and form a packet:

RG-WAN-MAC > BNG-WAN-MAC IP SRC: 100.64.0.2 IP DST 100.64.0.2

we would then get back a packet (since the SRC passes the BNG 
anti-spoofing rule, it's then just forwarded according to the normal 
forwarding table):

BNG-WAN-MAC > RG-WAN-MAC IP SRC: 100.64.0.2 IP DST 100.64.0.2

So we're sending a packet with our own address as both src and dst, just 
now instead with the mac addresses swapped because it went in via the BNG 
routing engine and was sentback to us. For IPv6, look at 
https://www.ietf.org/mail-archive/web/v6ops/current/msg30041.html

If I make "ncat" listen to UDP port 10000, I can successfully receive 
packets with src not my own interface address, which is fine for the 
DHCPv6-PD case (I have plenty of LAN addresses to choose from), but it 
doesn't work for the IPv6 IA_NA and IPv4 case. I have to use my source 
address to pass the BNG anti-spoofing filters.

So my question is where in the Linux kernel is this check performed that 
disallows incoming packets that have src IP address the same as an 
interface address? Can it be turned off? Is there a way to "hack around 
it", for instance with iptables and re-write the source address of the 
packet before it hits this check (I don't care about the source address 
when the packet is delivered to the application, it can be re-written to 
anything).

rp_filter is turned off in my testing.

Thanks.

-- 
Mikael Abrahamsson    email: swmike@....pp.se

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ