lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 May 2016 21:56:04 -0400 From: Sowmini Varadhan <sowmini.varadhan@...cle.com> To: Hannes Frederic Sowa <hannes@...essinduktion.org> Cc: Tom Herbert <tom@...bertland.com>, Linux Kernel Network Developers <netdev@...r.kernel.org>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org> Subject: Re: IPv6 extension header privileges On (05/21/16 02:20), Hannes Frederic Sowa wrote: > > There are some options inherently protocol depending like the jumbo > payload option, which should be under control of the kernel, or the > router alert option for igmp, which causes packets to be steered towards > the slow/software path of routers, which can be used for DoS attacks. > > Setting CALIPSO options in IPv6 on packets as users would defeat the > whole CALIPSO model, etc. > > The RFC3542 requires at least some of the options in dst/hop-by-hop "requires" is a strong word. 3542 declares it as a "may" (lower case). The only thing required strongly is IPV6_NEXTHOP itself. I suspect 3542 was written at a time when hbh and dst opt were loosely defined and the "may" is just a place-holder (i.e., it's not even a MAY) > > AFAIK people worried about the parsing overhead and thus decided to > block it for ordinary users. That's probably more likely, esp for hbh options. It may also be interesting to find out what BSD does in these cases. --Sowmini
Powered by blists - more mailing lists