| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110927162120.30394030@asterix.rh>
Date: Tue, 27 Sep 2011 16:21:20 -0300
From: Flavio Leitner <fbl@...hat.com>
To: netdev <netdev@...r.kernel.org>
Subject: ICMP redirect issue
Hi,
While investigating an issue on Red Hat Enterprise Linux, I found that
upstream commit below removed the old_gw check.
commit f39925dbde7788cfb96419c0f092b086aa325c0f
Author: David S. Miller <davem@...emloft.net>
Date: Wed Feb 9 22:00:16 2011 -0800
ipv4: Cache learned redirect information in inetpeer.
The issue is about the gateway being a LVS, so the servers behind use
the IP alias address as the default gateway. However, when the gateway
sends an ICMP redirect, it comes from the primary IP address which is
ignored on older kernels because of the old_gw check:
- if (rth->rt_dst != daddr ||
- rth->rt_src != saddr ||
- rth->dst.error ||
- rth->rt_gateway != old_gw ||
- rth->dst.dev != dev)
- break;
Well, the consequence is that the issue doesn't happen in newer kernels
because it happily accepts the ICMP redirect.
The admin can still control using shared_media and secure_redirects if
the host should accept only the ICMP redirects for gateways listed in
default gateway list or not.
In terms of a security, if someone manages to send ICMP redirect, then
I think it possible to fake the saddr to appear as coming from the
correct gateway.
So, I'm not seeing a problem, but I was told to bring this up to netdev.
Thoughts?
thanks,
fbl
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists