lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <OF0DBC22C3.C87A2D77-ON88257315.0046DAAD-88257315.00493963@us.ibm.com>
Date:	Wed, 11 Jul 2007 06:20:29 -0700
From:	David Stevens <dlstevens@...ibm.com>
To:	Rémi Denis-Courmont <rdenis@...phalempin.com>
Cc:	davem@...emloft.net, netdev@...r.kernel.org,
	netdev-owner@...r.kernel.org,
	YOSHIFUJI Hideaki / 吉藤英明 
	<yoshfuji@...ux-ipv6.org>
Subject: Re: [PATCH] IPv6: optionaly validate RAs on raw sockets

I think #2 in your list is the right choice, and that has nothing to do 
with adding a
non-standard option (which I completely agree is a bad idea).

It looked like you're just checking if the machine is acting as a router 
or not and
if it comes from a link-local address; is that right? Of course, lots of 
apps already
check for "am I a router" and they don't require a new socket option. (!) 
See everything
in the quagga package, for example. And checking the address type in a app 
is
trivial.

The previous discussion about "validation" was talking about RA's that are 
forged,
so don't pass IPsec authentication checks. I don't see any reason at all 
to deliver those
to an application (ever), so no non-standard socket option required there. 
I don't know
if those are currently delivered on raw sockets or not, but if they are, I 
think it's
reasonable to have a patch that clones them only after authentication 
rather than before.

Prior discussion used FUD about some monitoring apps needing to see forged 
RA's.
I don't think there really are apps that need to see forged RA's, but if 
they really
want everything, they should use bpf or the like, just as they would need 
to do to
receive, for example, packets with invalid checksums.

                                                                +-DLS

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ