| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Jan 2013 15:22:50 -0500 (EST) From: David Miller <davem@...emloft.net> To: hannes@...essinduktion.org Cc: netdev@...r.kernel.org, yoshfuji@...ux-ipv6.org Subject: Re: [PATCH net-next (v3)] ipv6: add anti-spoofing checks for 6to4 and 6rd From: Hannes Frederic Sowa <hannes@...essinduktion.org> Date: Tue, 29 Jan 2013 19:24:25 +0100 > This patch adds anti-spoofing checks in sit.c as specified in RFC3964 > section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the > checks which could easily be implemented with netfilter. > > Specifically this patch adds following logic (based loosely on the > pseudocode in RFC3964 section 5.2): > > if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default) > and outer_src_v4 != embedded_ipv4 (inner_src_v6) > drop > if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default) > and outer_dst_v4 != embedded_ipv4 (inner_dst_v6) > drop > accept > > To accomplish the specified security checks proposed by above RFCs, > it is still necessary to employ uRPF filters with netfilter. These new > checks only kick in if the employed addresses are within the 2002::/16 or > another range specified by the 6rd-prefix (which defaults to 2002::/16). > > Cc: YOSHIFUJI Hideaki <yoshfuji@...ux-ipv6.org> > Cc: David Miller <davem@...emloft.net> > Signed-off-by: Hannes Frederic Sowa <hannes@...essinduktion.org> Applied. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists