| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7b133850-bbdc-594c-f7f3-62e9d4adf1f3@arista.com>
Date: Wed, 14 Jun 2017 14:51:35 -0700
From: Julien Gomes <julien@...sta.com>
To: Nikolay Aleksandrov <nikolay@...ulusnetworks.com>,
davem@...emloft.net
Cc: Netdev <netdev@...r.kernel.org>,
Donald Sharp <sharpd@...ulusnetworks.com>
Subject: Re: [PATCH net-next 0/3] ipmr/ip6mr: add Netlink notifications on
cache reports
Hi Nikolay,
On 06/14/2017 05:04 AM, Nikolay Aleksandrov wrote:
> This has been on our todo list and I'm definitely interested in the implementation.
> A few things that need careful consideration from my POV. First are the security
> implications - this sends rtnl multicast messages but the rtnl socket has
> the NL_CFG_F_NONROOT_RECV flag thus allowing any user on the system to listen in.
> This would allow them to see the full packets and all reports (granted they can see
> the notifications even now), but the full packet is like giving them the opportunity
> to tcpdump the PIM traffic.
I definitely see how this can be an issue.
>From what I see, this means that either the packet should be
transmitted another way, or another Netlink family should be used.
NETLINK_ROUTE looks to be the logical family to choose though,
but then I do not see a proper other way to handle this.
However I may just not be looking into the right direction,
maybe you currently have another approach in mind?
> My second (more fixable and minor) concern is about the packet itself, how do you
> know that the packet is all linear so you can directly copy it ?
Indeed, I overlooked this possibility in this version.
I will improve that.
--
Julien Gomes
Powered by blists - more mailing lists