lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 3 Jan 2014 08:04:26 +0100
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	François-Xavier Le Bail <fx.lebail@...oo.com>
Cc:	netdev@...r.kernel.org, "David S. Miller" <davem@...emloft.net>,
	Alexey Kuznetsov <kuznet@....inr.ac.ru>,
	James Morris <jmorris@...ei.org>,
	Hideaki Yoshifuji <yoshfuji@...ux-ipv6.org>,
	Patrick McHardy <kaber@...sh.net>
Subject: Re: [PATCH net-next v2] IPv6: add option to use Subnet-Router anycast addresses as source addresses

On Thu, Jan 02, 2014 at 10:49:02PM -0800, François-Xavier Le Bail wrote:
> On Fri, 1/3/14, Hannes Frederic Sowa <hannes@...essinduktion.org> wrote:
> 
> On Thu, Jan 02, 2014 at 10:19:24PM  -0800, François-Xavier Le Bail wrote:
> 
> >> Some setup may use a ping to Subnet-Router anycast
> >> address and expect a reply to discover a unicast address
> >> (not very secure, but ...).
> >>
> >> It is the reason why, I want to keep existing default.
>  
> > Yep, with pre-defined anycast address I actually meant the
> > subnet router
> > anycast address. We currently don't need to deal with more
> > than that one:
> > https://www.iana.org/assignments/ipv6-anycast-addresses/ipv6-anycast-addresses.xhtml
>  
> > As soon as this patch gets applied, we have to keep the knob stable
> > in its semantic.  So my proposal would be to change the knob to just
> > control the behaviour of ping replies and also change its
> > name to reflect this.
>  
> > Leave datagram sending with specific anycast address as
> > source just open and
> > don't protect it with this knob. Would that be a plan?
>  
> But service discovery may be done also with UDP, so I see the knob as a router policy:
> It enable or not anycast source.

Wouldn't distributions just enable this unconditionally and no one will ever
look at this option again?

IMHO it would be better if it could be controlled per application, because
they ultimately know how their discovery protocol works. In case of ping, it
is ok, because applications cannot control the source address here.

Greetings,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ