lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Oct 2007 12:49:50 -0400 From: Vlad Yasevich <vladislav.yasevich@...com> To: David Stevens <dlstevens@...ibm.com> Cc: Herbert Xu <herbert@...dor.apana.org.au>, brian.haley@...com, netdev@...r.kernel.org, netdev-owner@...r.kernel.org Subject: Re: multicast: bug or "feature" David Stevens wrote: > netdev-owner@...r.kernel.org wrote on 10/19/2007 04:43:27 AM: > >> Vlad Yasevich <vladislav.yasevich@...com> wrote: >>> Now, to figure out what IPv6 does different and why it works. >>> Seems to me that the two should have the same behavior. >> IPv6 on Linux uses a per-interface addressing model as opposed >> to the per-host model used by IPv4. > > For link-local addresses, yes. > > It's really a security feature; the ordinary > case where you'd receive something on an interface that's > using one of your source addresses is when someone is spoofing > you, has a duplicate address, or maybe an (unintentional) > routing loop. All of those are error cases, so dropping a > received packet that claims to be sent by you is a reasonable > thing to do. I can see this as a good feature for unicast, but starting to doubt it just a little bit for multicast. With IGMPv3/MLDv2 and source filtering, this could be done as a filter on individual sockets. The problem them becomes IGMPv2 and MLDv1. > If you're getting link-local source addresses for your > IPv6 multicast packets, that may explain it. The link-local > addresses are required to be unique and valid only for that > link, so IPv6 should not consider a different interface's > link-local address as "local" for a destination address, or > a packet using that source address as bogus. Looks like the only time IPv6 does any type of source filtering is when CONFIG_IPV6_MULTIPLE_TABLES is turned on. I need to turn this on and see if I get the same results or not. > For a global address, v4 and v6 use the same rules-- > for a destination you can receive it on any interface for > any global address. So, if your source address was a global > IPv6 address and it worked, I'd guess IPv6 just isn't checking > the source address. I don't know that it's required by RFC for > either v4 or v6, though it's probably a good idea. I've reproduced the multicast traffic using both global and link-local addresses (both source and destination were of the same scope in the tests, i.e. either global or link-local). So, it appears that IPv6 didn't do any source verification for multicast traffic. -vlad - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists