lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 3 Mar 2008 13:19:57 +0200
From:	Juha-Matti Tapio <jmtapio@...kkotelakka.net>
To:	Remi Denis-Courmont <rdenis@...phalempin.com>
Cc:	yoshfuji@...ux-ipv6.org, netdev@...r.kernel.org
Subject: Re: [PATCH 2/2] [IPV6]: Fix source address selection for
	ORCHIDaddresses

On Mon, Mar 03, 2008 at 11:19:40AM +0100, Remi Denis-Courmont wrote:
> On Sun, 2 Mar 2008 23:59:54 +0200, Juha-Matti Tapio
> <jmtapio@...kkotelakka.net> wrote:
> >> Then, what you should do is to appropriately configure your policy
> >> (label) table via the addrlabel subsystem.
> > That would propably mean doing something like merging labels 1 (::/0),
> > 2 (6to4) and 6 (Teredo) together? I suppose that could be possible,
> > since after all there is also the workaround of just getting separate
> > 6to4 addresses for all the necessary interfaces.
> Please do NOT do this.
> 
> 6to4 and Teredo have separate labels for a reason: 6to4-to-6to4 is
> reliable, and Teredo-to-Teredo is fairly OK. 6to4-to-native often fails,
> and Teredo-to-native very often fails due to missing, congested or even
> mis-configured relays between the native IPv6 bone, and these two
> transition mechanism.

I meant merging them locally on the system where there are ORCHID and
6to4/Teredo addresses but not native global addresses. Merging the
generic default labels together would clearly break a lot of stuff.

Then again, I feel putting this configuration burden for the local
sysadmin is a bit too much as this is a complex matter.

> Unfortunately, glibc has the settings
> _wrong_ (IMHO): while it has the same labels has the kernel, the way glibc
> does private IPv4 addresses scoping breaks at Rule 2, which bypasses the
> IPv6 transition mechanism labels at Rule 5. And will also break the ORCHID
> label when it is added :( That's a different story, but you may want to
> make that is not where you problems are coming from.

I had not thought originally about glibc-issues, and I should look
into it a bit. But the kernel update alone was enough to fix my test
system. Besides, the bug I encountered is with source address
selection.

I'm not sure there even is a problem with destination address
selection and ORCHID. It propably is not a good idea to mix
native and ORCHID addresses in DNS for the same name because this
would break hosts without any ORCHID support.



-- 
Tmi Juha-Matti Tapio    Puh/Tel. +358-50-5419230
Y-tunnus 1911527-0

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ