lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAPwn2JSk0P8n+aSxTGiU0Q2RSSbZ52NVZxOS+yURpor2YQVySQ@mail.gmail.com>
Date:	Tue, 28 Jul 2015 11:05:36 +0800
From:	Hangbin Liu <liuhangbin@...il.com>
To:	YOSHIFUJI Hideaki/吉藤英明 
	<hideaki.yoshifuji@...aclelinux.com>
Cc:	network dev <netdev@...r.kernel.org>,
	Hannes Frederic Sowa <hannes@...essinduktion.org>
Subject: Re: [PATCHv2] net/ipv6: add sysctl option accept_ra_hop_limit

2015-07-28 7:50 GMT+08:00 YOSHIFUJI Hideaki/吉藤英明
<hideaki.yoshifuji@...aclelinux.com>:
> Hi,
>
> Hangbin Liu wrote:
>> Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface")
>> disabled accept hop limit from RA if it is higher than the current hop
>> limit for security stuff. But this behavior kind of break the RFC definition.
>>
>> RFC 4861, 6.3.4.  Processing Received Router Advertisements
>>    If the received Cur Hop Limit value is non-zero, the host SHOULD set
>>    its CurHopLimit variable to the received value.
>>
>> So add sysctl option accept_ra_hop_limit to let user choose whether accept
>> hop limit info in RA.
>>
>
> How about introducing "minimum hop limit", instead?

Hi Yoshifuji,

This is a good idea. Maybe this can be another sysctl option?

The minimum hop limit can be an enhancement of the security issue, then we will
not only increase the hop limit, but also could decrease it in the
range of values we
accept.

On the other hand, with this patch, we can enable, disable or partly
enable accept
hop limit. If we only use "minimum hop limit", people could not use a static hop
limit value.

May be we use a “hop limit range" instead? How do you think?

Thanks
Hangbin

>
> |commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a
> |Author: D.S. Ljungmark <ljungmark@...io.se>
> |Date:   Wed Mar 25 09:28:15 2015 +0100
> |
> |    ipv6: Don't reduce hop limit for an interface
> :
> |    RFC 3756, Section 4.2.7, "Parameter Spoofing"
> |
> :
> |   >   As an example, one possible approach to mitigate this threat is to
> |    >   ignore very small hop limits.  The nodes could implement a
> |    >   configurable minimum hop limit, and ignore attempts to set it below
> |    >   said limit.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ