lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1409130313.2505.3.camel@jlt4.sipsolutions.net>
Date:	Wed, 27 Aug 2014 11:05:13 +0200
From:	Johannes Berg <johannes@...solutions.net>
To:	Hannes Frederic Sowa <hannes@...essinduktion.org>
Cc:	linux-wireless@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [RFC] net: ipv4: drop unicast encapsulated in L2 multicast

On Wed, 2014-08-27 at 09:38 +0200, Hannes Frederic Sowa wrote:

> > And if it's *not* in the IPv6 RFCs, how should we implement this?
> 
> I haven't found anything, too. Should I bring this up with IETF?

I don't know if that's really useful? OTOH, there surely must have been
a reason for this to be in the IPv4 RFC, so maybe for that same reason
it should also be in the IPv6 RFC?

However, in our particular case, it's really meant only to close the
so-called "hole-196" vulnerability where rogue clients in your network
can abuse the GTK to do some attacks. Those attacks are also always
possible on non-managed ethernet segments, but those can be segregated
more easily by client than shared medium wireless.

This is only one building block for addressing the vulnerability. The
idea here was that in the wireless stack we already check

frame encrypted with GTK => must have multicast destination address

and in the IPv4 stack we can check

frame has multicast destination address => must have multicast/broadcast
IP addr

This would address this point.

The question now is, in the absence of such a latter required check (and
indeed, in the case of CLUSTERIP), how we implement such a check.
Perhaps a sysctl is needed after all?

johannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ