lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 13 Jan 2010 09:27:41 +0100
From:	Patrick McHardy <kaber@...sh.net>
To:	Shan Wei <shanwei@...fujitsu.com>
CC:	David Miller <davem@...emloft.net>,
	netfilter-devel@...r.kernel.org,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [RFC][PATCH] IP: Send a fragment reassembly time exceeded packet
 when enabling connection track

Shan Wei wrote:
> Patrick McHardy wrote, at 01/05/2010 01:44 PM:
>> Shan Wei wrote:
>>> Default, a host may send a fragment reassembly time exceeded packet
>>> (ICMP Time Exceeded Message with code value of 1) when defraging fragments timeout.
>>> But, when enabling connection track, a host can't send the packet.
>>>
>>> Because, the module of nf_defrag_ipv4 selected by connection track is registered 
>>> in PRE_ROUTING HOOK and assembles all accepted fragments(here, not begin to routing).
>>> After defrag timeout, the host can't send fragment reassembly time exceeded packet, 
>>> because of lack of router information.
>>>
>>> RFC 792 says:
>>>>>>>   If a host reassembling a fragmented datagram cannot complete the
>>>>>>>   reassembly due to missing fragments within its time limit it
>>>>>>>   discards the datagram, and it may send a time exceeded message.
>>>>>>>
>>>>>>>   If fragment zero is not available then no time exceeded need be
>>>>>>>   sent at all.
>>>>>>>
>>>>>>>
>>>>>>> Read more: http://www.faqs.org/rfcs/rfc792.html#ixzz0aOXRD7Wp
>>> So, the patch try to fix it with filling router information before sending fragment reassembly
>>> time exceeded packet when defrag timeout.
>> I guess the question is whether we really want to send an ICMP
>> message in this case. The above quote applies to end hosts,
> 
> Yes, what you guess is what i want to ask. :-)
> Should end hosts which are using conntrack send a fragment reassembly time exceeded message?

Yes, they should.

>> while conntrack is also (probably more commonly) used on routers,
>> which normally shouldn't attempt reassembly.  
> 
> There are two point:
> 1.Take security into account, end hosts also used conntrack. 
> 
>   For example: When a host is attacked by denial of service TCP flaws, RedHat used the conntrack&recent
>   match to limit the TCP connections.
>   
>   About details, see the phenomenon description:
>     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4609
>     http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4609
> 
>   See RedHat's solution:
>     http://kbase.redhat.com/faq/docs/DOC-18730

I'm not sure I get the connection to this patch.

> 2.On the latest kernel, a router on which the conntrack is used, reassemble fragments and 
>   forward reassembled intact packet. This implementation is not coincide with what you said.

Yes, thats a necessity for conntrack to work, but its not what
a router usually does. But it actually does refragment the packet
if it exceeds the MTU of the outgoing interface.

>   nf_defrag_ipv4 module is registered on PRE_ROUTING hook with the highest priority. So, search router table 
>   after completing the reassembly and forward it to destination host.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists