lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200706231625.44825@auguste.remlab.net>
Date:	Sat, 23 Jun 2007 16:25:44 +0300
From:	Rémi Denis-Courmont <rdenis@...phalempin.com>
To:	David Stevens <dlstevens@...ibm.com>
Cc:	"C. Scott Ananian" <cscott@...top.org>, netdev@...r.kernel.org
Subject: Re: [RFD] First draft of RDNSS-in-RA support for IPv6 DNS autoconfiguration

	Hello,

Le samedi 23 juin 2007, David Stevens a écrit :
>         Why not make the application that writes resolv.conf
> also listen on a raw ICMPv6 socket? I don't believe you'd need
> any kernel changes, then, and it seems pretty simple and
> straightforward.

Unfortunately, ICMPv6 raw sockets will not work quite properly here, 
without modifications. At the moment, such a socket will queue just 
about any Router Advertisement that is received by the host.

Now, assuming the userland daemon did sanity check the message (properly 
formatted, source and destination addresses are sane, etc), it needs to 
know whether the IPv6 kernel stack has "accepted" it or not. It could 
be that the interface the RA was received on had autoconf disabled at 
the time the packet showed up, or it could be that the system is 
currently configured as a router, or it could be that we have a 
SeND-patched kernel and the RA did not pass authentication checks.

And then, what happens if IPv6 networking has been initialized before 
init got the chance to start the daemon, for instance root over 
NFS/IPv6? The RA is lost.

Similarly, the daemon has no way to know when information gathered from 
an RA becomes invalid. Of course, it can duplicate the lifetime timers 
in userland, but only the kernel knows if the link has been reset to 
off and on earlier than lifetime expiration.


Whether parsing RDNSS-in-RA belong in the kernel is irrelevant to me, as 
the kernel does not provide any interface for userland to do it 
properly at the moment.

-- 
Rémi Denis-Courmont
http://www.remlab.net/

Download attachment "signature.asc " of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ