lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 21 May 2016 11:34:35 +0200 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Sowmini Varadhan <sowmini.varadhan@...cle.com> Cc: Tom Herbert <tom@...bertland.com>, Linux Kernel Network Developers <netdev@...r.kernel.org>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org> Subject: Re: IPv6 extension header privileges On Sat, May 21, 2016, at 03:56, Sowmini Varadhan wrote: > On (05/21/16 02:20), Hannes Frederic Sowa wrote: > > > > There are some options inherently protocol depending like the jumbo > > payload option, which should be under control of the kernel, or the > > router alert option for igmp, which causes packets to be steered towards > > the slow/software path of routers, which can be used for DoS attacks. > > > > Setting CALIPSO options in IPv6 on packets as users would defeat the > > whole CALIPSO model, etc. > > > > The RFC3542 requires at least some of the options in dst/hop-by-hop > > "requires" is a strong word. 3542 declares it as a "may" (lower case). > The only thing required strongly is IPV6_NEXTHOP itself. > > I suspect 3542 was written at a time when hbh and dst opt were loosely > defined and the "may" is just a place-holder (i.e., it's not even a MAY) My wording directly from the RFC was too strong, true, but given that there is a CALIPSO patch already floating around for the kernel and those options are strictly controlled by selinux policy and build the foundation for the networking separation we can't make it simply non-priv. Bye, Hannes
Powered by blists - more mailing lists