lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 4 Mar 2014 06:06:29 -0500 (EST)
From:	Jan Stancek <jstancek@...hat.com>
To:	Linus Lüssing <linus.luessing@....de>
Cc:	netdev@...r.kernel.org, Florian Westphal <fwestpha@...hat.com>,
	bridge@...ts.linux-foundation.org
Subject: Re: bridge is not forwaring ICMP6 neighbor solicitation to KVM
 guest



----- Original Message -----
> From: "Linus Lüssing" <linus.luessing@....de>
> To: "Jan Stancek" <jstancek@...hat.com>
> Cc: netdev@...r.kernel.org, "Florian Westphal" <fwestpha@...hat.com>, bridge@...ts.linux-foundation.org
> Sent: Tuesday, 4 March, 2014 11:52:54 AM
> Subject: Re: bridge is not forwaring ICMP6 neighbor solicitation to KVM guest
> 
> Hi Jan,
> 
> On Tue, Mar 04, 2014 at 03:02:36AM -0500, Jan Stancek wrote:
> > > For the broken query, ok, it's your manually crafted query. But
> > > did you see a query with such a bogus source address "in the
> > > wild", too? (I'm curious how urgent this sanity check is)
> > 
> > It's real packet I managed to capture during one such occurrence.
> > I'm sending it with small C program over raw socket, but it's byte
> > by byte exact copy of what I captured with tcpdump previously.
> > 
> > I'm not sure how that packet came to existence. Based on IPv6 address
> > it came from host B, but all host B was doing at the time
> > was running RHEL6 with couple qemu-kvm instances. KVM guests were
> > set up to use bridge, so I'm assuming if any of them crafted
> > this packet, source IPv6 address would be different.
> > 
> 
> Ah, okay. Can you check whether it maybe came from the querier
> code in the Linux bridge on host B? Is
> "cat /sys/class/net/br0/bridge/multicast_querier" 1?

# cat /sys/class/net/br0/bridge/multicast_querier
cat: /sys/class/net/br0/bridge/multicast_querier: No such file or directory

> Can you isolate host B and disable any multicast router daemon on it? Then
> check again, if you still see these queries.

Besides those cases where I sent it by myself, I haven't seen host B send
that query for couple days now.

> What kernel version is running on host B?

2.6.32-279.42.1.el6.x86_64
It's a RHEL6.3.z kernel.

> Where does Linux use :: for queries?

I'm not sure if it's Linux (I'm trying to locate that system by MAC), but I see
packets like these on my network every ~125 seconds:

No.     Time        Source                Destination           Protocol Length Info
  22675 1334.751135 ::                    ff02::1               ICMPv6   86     Multicast Listener Query

Internet Control Message Protocol v6
    Type: Multicast Listener Query (130)
    Code: 0
    Checksum: 0x7ac1 [correct]
    Maximum Response Delay [ms]: 1000
    Reserved: 0000
    Multicast Address: :: (::)

Regards,
Jan
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ