| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110820082048.GA15169@gondor.apana.org.au> Date: Sat, 20 Aug 2011 16:20:48 +0800 From: Herbert Xu <herbert@...dor.apana.org.au> To: David Miller <davem@...emloft.net> Cc: ja@....bg, netdev@...r.kernel.org Subject: Re: [PATCH net-next] ipv4: one more case for non-local saddr in ICMP On Fri, Aug 19, 2011 at 03:43:54AM -0700, David Miller wrote: > From: Julian Anastasov <ja@....bg> > Date: Mon, 15 Aug 2011 19:21:23 +0300 (EEST) > > > > > May be there is one more case that we can avoid using > > non-local source for ICMP errors: xfrm_lookup, num_xfrms = 0 when > > reverse "Flow passes untransformed". Avoid using the input route > > if xfrm_lookup returns same dst. > > > > Signed-off-by: Julian Anastasov <ja@....bg> > > --- > > > > In fact, should we use local IP in all cases when > > sending ICMP? I'm asking it for the following case: > > > > Large packet is forwarded but is rejected with ICMP FRAG > > NEEDED. We usually send ICMP with local saddr instead of the > > original non-local destination. What is the role of > > this reverse check? May be after xfrm_decode_session_reverse > > we should use 'fl4_dec.saddr = fl4->saddr;' so that xfrm_lookup > > works with ICMP from local IP? What is right thing to do here? > > I don't see code that looks in the embedded header... > > Well.. this relookup behavior is guided by a special transform state > XFRM_STATE_ICMP that the user must explicitly create IPSEC rules for. > > Presumably they are going to add real transforms to such special IPSEC > rules, not create NOP ones with no transforms. And if they do create > such IPSEC state with no transforms, perhaps the intention is to trigger > to use of the non-local source. > > The whole thing revolves around how Herbert envisions people implementing > RFC4301 support using this new XFRM_STATE_ICMP thing. > > Right? The intention of XFRM_STATE_ICMP is to automatically allow inbound IPsec-protected ICMP packets (remember that IPsec tunnels are not automatically allowed, as that opens room for address spoofing). Imagine if you have a policy P that allows IPsec packets with inner addresses going from S to D. The purpose of this is to ensure that ICMP packets from D to S are automatically allowed. Cheers, -- Email: Herbert Xu <herbert@...dor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists