| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <50F9F875.30302@linux-ipv6.org> Date: Sat, 19 Jan 2013 10:35:49 +0900 From: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org> To: netdev@...r.kernel.org, davem@...emloft.net, hannes@...essinduktion.org CC: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org> Subject: Re: [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd (2013年01月19日 05:04), Hannes Frederic Sowa wrote: > This patch adds anti-spoofing checks in sit.c as specified in RFC3964 > section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the > checks which could easily be implemented with netfilter. > > Specifically this patch adds following logic (based loosely on the > pseudocode in RFC3964 section 5.2): > > if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default) > and outer_src_v4 != embedded_ipv4 (inner_src_v6) > drop > if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default) > and outer_dst_v4 != embedded_ipv4 (inner_dst_v6) > drop > accept > > To accomplish the specified security checks proposed by above RFCs, > it is still necessary to employ uRPF filters with netfilter. These new > checks only kick in if the employed addresses are within the 2002::/16 or > another range specified by the 6rd-prefix (which defaults to 2002::/16). It seems this breaks 6rd receiving rules: BR: if (outer src ip4 != embedded src ip4) drop(); CE: if (outer src ip4 != embedded src ip4 || inner dest ip6 != configured ip6 prefix) drop(); No? --yoshfuji -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists