lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <537F4B55.5040305@linux.vnet.ibm.com>
Date:	Fri, 23 May 2014 18:51:25 +0530
From:	sumanth <sumantk2@...ux.vnet.ibm.com>
To:	netdev@...r.kernel.org
CC:	Srikar Dronamraju <srikar@...ux.vnet.ibm.com>,
	Raghavendra K T <raghavendra.kt@...ux.vnet.ibm.com>
Subject: Some clarification regarding rfc3484 (6724) - Rule 8 Prefer smaller
 scope

I had configured my local interface as follows :
ifconfig eth0 inet6 add fe80::1/64
ifconfig eth0 inet6 add fec0::1/10

And /etc/hosts contains :
fe80::2 server.org
fec0::2 server.org

The above two interfaces in /etc/hosts are not configured. Just to get
the result from getaddrinfo().

So according to rfc3484 , link-local has lower scope when compared to
site-local .
So i think fe80::2 should be returned first and then later fec0::2

In my fedora ( any kernel ), getaddrinfo() is preferring site-local
first instead of link-local.

So when looking into the getaddrinfo() glibc implementation ,  when two
or more addresses are available (code flow):
1) create a udp datagram socket
2) connect to the destination addresses returned from gaih_inet ( not
sorted yet ). This was done inorder to get the source address from the
kernel (using ipv6_get_saddr_eval() we get the preferred source for 
each destination). Actually doesnt need the destination to be reachable .
 #netstat | grep -i udp
udp        0      0 fec0::1:34236               server.org:http      
ESTABLISHED

3) getsockname to get the source address and store in result combo array.

So __connect() to site-local becomes successfull . But __connect() to
link-local is not successfull .

Hence rfc3484_sort() in glibc changes the order and prefers site-local
first .

i.e /* Rule 1: Avoid unusable destinations.
     We have the got_source_addr flag set if the destination is
reachable.  */
  if (a1->got_source_addr && ! a2->got_source_addr)

a1->got_source_addr is false because connect to link-local failed.

So my questions are :
1) Can this be a problem somewhere around ip6_datagram_connect() [
because connect fails ]
2) Can this be a problem with the parsing of glibc getaddrinfo ? [
something like sin6_scope_id being not set properly ]
3) Or this is the expected behaviour or am i missing out something ?


Any suggestions ?


Thank you,
Sumanth K

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ