| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 18 Sep 2013 19:57:53 +0800 From: Duan Jiong <duanj.fnst@...fujitsu.com> To: David Miller <davem@...emloft.net>, hannes@...essinduktion.org CC: netdev@...r.kernel.org Subject: Re: [PATCH v2 6/6] ipv6: Do route updating for redirect in ndisc layer 于 2013年09月18日 12:13, Hannes Frederic Sowa 写道: > On Wed, Sep 18, 2013 at 09:52:42AM +0800, Duan Jiong wrote: >> 于 2013年09月18日 09:39, Hannes Frederic Sowa 写道: >>> On Tue, Sep 17, 2013 at 08:29:36PM -0400, David Miller wrote: >>>> From: Duan Jiong <duanj.fnst@...fujitsu.com> >>>> Date: Fri, 13 Sep 2013 11:03:07 +0800 >>>> >>>>> From: Duan Jiong <duanj.fnst@...fujitsu.com> >>>>> >>>>> Do the whole verification and route updating in ndisc >>>>> lay and then just call into icmpv6_notify() to notify >>>>> the upper protocols. >>>>> >>>>> Signed-off-by: Duan Jiong <duanj.fnst@...fujitsu.com> >>>> >>>> This is completely broken, and I believe your patch set fundamentally >>>> is too. >>>> >>>> We absolutely _must_ handle the redirect at the socket level when >>>> we are able to, otherwise we cannot specify the mark properly and >>>> the mark is an essential part of the key used to find the correct >>>> route to work with. >>>> >>>> I am not applying this patch series until you deal with this >>>> deficiency. I am not willing to consider changes which stop using the >>>> more precise keying information available from a socket. >>> >>> Oh, Duan, I am very sorry for not catching this earlier. We use the >>> sk->mark to select the proper routing table where we clone the rt6_info into. >>> And we only get that value out of the sockets. I missed that. We should leave >>> the redirect logic in the socket layer where it is possible. >>> >>> But parts of this series are still valid. We need to fix redirects for tunnels >>> and I do think we can still simplify some code in the error handlers. >>> >> >> I got it. > > I gave it a bit more thought: > > RFC 4861 8.3: > " > Redirect messages apply to all flows that are being sent to a given > destination. That is, upon receipt of a Redirect for a Destination > Address, all Destination Cache entries to that address should be > updated to use the specified next-hop, regardless of the contents of > the Flow Label field that appears in the Redirected Header option. > " > > Especially because redirects also help in the on-link determination (same > RFC, section 8), I changed my mind and am still in favour of updating it > in the ndisc layer. In my opinion we just have to consider all routing > tables and apply the update to every one which carries a valid next hop > to the source of the redirect (under consideration of the destination). > > This will be important if we actually try to get linux to correctly > implement the ipv6 subnet model (RFC 5942, Section 4 Rule 1). In that > case we are not allowed to assume nodes on-link even if they would match > the same prefix as a locally configured address. > I think this need a little time to discuss with David Miller, so i will send the other patchs to fix redirects for tunnels and to fix the sk->sk_err problems in udpv6_err()/rawv6_err(). Thanks, Duan -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists