| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130918041337.GD8947@order.stressinduktion.org> Date: Wed, 18 Sep 2013 06:13:37 +0200 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Duan Jiong <duanj.fnst@...fujitsu.com> Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: [PATCH v2 6/6] ipv6: Do route updating for redirect in ndisc layer On Wed, Sep 18, 2013 at 09:52:42AM +0800, Duan Jiong wrote: > 于 2013年09月18日 09:39, Hannes Frederic Sowa 写道: > > On Tue, Sep 17, 2013 at 08:29:36PM -0400, David Miller wrote: > >> From: Duan Jiong <duanj.fnst@...fujitsu.com> > >> Date: Fri, 13 Sep 2013 11:03:07 +0800 > >> > >>> From: Duan Jiong <duanj.fnst@...fujitsu.com> > >>> > >>> Do the whole verification and route updating in ndisc > >>> lay and then just call into icmpv6_notify() to notify > >>> the upper protocols. > >>> > >>> Signed-off-by: Duan Jiong <duanj.fnst@...fujitsu.com> > >> > >> This is completely broken, and I believe your patch set fundamentally > >> is too. > >> > >> We absolutely _must_ handle the redirect at the socket level when > >> we are able to, otherwise we cannot specify the mark properly and > >> the mark is an essential part of the key used to find the correct > >> route to work with. > >> > >> I am not applying this patch series until you deal with this > >> deficiency. I am not willing to consider changes which stop using the > >> more precise keying information available from a socket. > > > > Oh, Duan, I am very sorry for not catching this earlier. We use the > > sk->mark to select the proper routing table where we clone the rt6_info into. > > And we only get that value out of the sockets. I missed that. We should leave > > the redirect logic in the socket layer where it is possible. > > > > But parts of this series are still valid. We need to fix redirects for tunnels > > and I do think we can still simplify some code in the error handlers. > > > > I got it. I gave it a bit more thought: RFC 4861 8.3: " Redirect messages apply to all flows that are being sent to a given destination. That is, upon receipt of a Redirect for a Destination Address, all Destination Cache entries to that address should be updated to use the specified next-hop, regardless of the contents of the Flow Label field that appears in the Redirected Header option. " Especially because redirects also help in the on-link determination (same RFC, section 8), I changed my mind and am still in favour of updating it in the ndisc layer. In my opinion we just have to consider all routing tables and apply the update to every one which carries a valid next hop to the source of the redirect (under consideration of the destination). This will be important if we actually try to get linux to correctly implement the ipv6 subnet model (RFC 5942, Section 4 Rule 1). In that case we are not allowed to assume nodes on-link even if they would match the same prefix as a locally configured address. Greetings, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists