lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100422092305.0e45f547@nehalam> Date: Thu, 22 Apr 2010 09:23:05 -0700 From: Stephen Hemminger <shemminger@...tta.com> To: davem@...emloft.net Cc: Pekka Savola <pekkas@...core.fi>, YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org>, Nick Hilliard <nick@...x.ie>, netdev@...r.kernel.org Subject: Re: [PATCH 1/3] IPv6: Generic TTL Security Mechanism (original version) On Sat, 03 Apr 2010 16:21:04 -0700 Stephen Hemminger <shemminger@...tta.com> wrote: > This patch adds IPv6 support for RFC5082 Generalized TTL > Security Mechanism. > > The original proposed code; the IPV6 and IPV4 socket options are seperate. > With this method, the server does have to deal with both IPv4 and IPv6 > socket options and the client has to handle the different for each > family. > > On client: > int ttl = 255; > getaddrinfo(argv[1], argv[2], &hint, &result); > > for (rp = result; rp != NULL; rp = rp->ai_next) { > s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); > if (s < 0) continue; > > if (rp->ai_family == AF_INET) { > setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl)); > } else if (rp->ai_family == AF_INET6) { > setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS, > &ttl, sizeof(ttl))) > } > > if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) { > ... > > On server: > int minttl = 255 - maxhops; > > getaddrinfo(NULL, port, &hints, &result); > for (rp = result; rp != NULL; rp = rp->ai_next) { > s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); > if (s < 0) continue; > > if (rp->ai_family == AF_INET6) > setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT, > &minttl, sizeof(minttl)); > setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl)); > > if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0) > break > .. > > > Signed-off-by: Stephen Hemminger <shemminger@...tta.com> Dave: Yoshifuji and I agree this is the best solution, how come the patch hasn't been applied? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists