[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPwn2JSk0P8n+aSxTGiU0Q2RSSbZ52NVZxOS+yURpor2YQVySQ@mail.gmail.com>
Date: Tue, 28 Jul 2015 11:05:36 +0800
From: Hangbin Liu <liuhangbin@...il.com>
To: YOSHIFUJI Hideaki/吉藤英明
<hideaki.yoshifuji@...aclelinux.com>
Cc: network dev <netdev@...r.kernel.org>,
Hannes Frederic Sowa <hannes@...essinduktion.org>
Subject: Re: [PATCHv2] net/ipv6: add sysctl option accept_ra_hop_limit
2015-07-28 7:50 GMT+08:00 YOSHIFUJI Hideaki/吉藤英明
<hideaki.yoshifuji@...aclelinux.com>:
> Hi,
>
> Hangbin Liu wrote:
>> Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface")
>> disabled accept hop limit from RA if it is higher than the current hop
>> limit for security stuff. But this behavior kind of break the RFC definition.
>>
>> RFC 4861, 6.3.4. Processing Received Router Advertisements
>> If the received Cur Hop Limit value is non-zero, the host SHOULD set
>> its CurHopLimit variable to the received value.
>>
>> So add sysctl option accept_ra_hop_limit to let user choose whether accept
>> hop limit info in RA.
>>
>
> How about introducing "minimum hop limit", instead?
Hi Yoshifuji,
This is a good idea. Maybe this can be another sysctl option?
The minimum hop limit can be an enhancement of the security issue, then we will
not only increase the hop limit, but also could decrease it in the
range of values we
accept.
On the other hand, with this patch, we can enable, disable or partly
enable accept
hop limit. If we only use "minimum hop limit", people could not use a static hop
limit value.
May be we use a “hop limit range" instead? How do you think?
Thanks
Hangbin
>
> |commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a
> |Author: D.S. Ljungmark <ljungmark@...io.se>
> |Date: Wed Mar 25 09:28:15 2015 +0100
> |
> | ipv6: Don't reduce hop limit for an interface
> :
> | RFC 3756, Section 4.2.7, "Parameter Spoofing"
> |
> :
> | > As an example, one possible approach to mitigate this threat is to
> | > ignore very small hop limits. The nodes could implement a
> | > configurable minimum hop limit, and ignore attempts to set it below
> | > said limit.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists