lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20171103.101108.660889899668900453.davem@davemloft.net>
Date:   Fri, 03 Nov 2017 10:11:08 +0900 (KST)
From:   David Miller <davem@...emloft.net>
To:     tom@...ntonium.net
Cc:     netdev@...r.kernel.org, rohit@...ntonium.net
Subject: Re: [PATCH v2 net-next] ipv6: Implement limits on Hop-by-Hop and
 Destination options

From: Tom Herbert <tom@...ntonium.net>
Date: Mon, 30 Oct 2017 14:16:00 -0700

> RFC 8200 (IPv6) defines Hop-by-Hop options and Destination options
> extension headers. Both of these carry a list of TLVs which is
> only limited by the maximum length of the extension header (2048
> bytes). By the spec a host must process all the TLVs in these
> options, however these could be used as a fairly obvious
> denial of service attack. I think this could in fact be
> a significant DOS vector on the Internet, one mitigating
> factor might be that many FWs drop all packets with EH (and
> obviously this is only IPv6) so an Internet wide attack might not
> be so effective (yet!).
 ...
> This patch adds configurable limits to Destination and Hop-by-Hop
> options. There are three limits that may be set:
>   - Limit the number of options in a Hop-by-Hop or Destination options
>     extension header.
>   - Limit the byte length of a Hop-by-Hop or Destination options
>     extension header.
>   - Disallow unrecognized options in a Hop-by-Hop or Destination
>     options extension header.
> 
> The limits are set in corresponding sysctls:
> 
>   ipv6.sysctl.max_dst_opts_cnt
>   ipv6.sysctl.max_hbh_opts_cnt
>   ipv6.sysctl.max_dst_opts_len
>   ipv6.sysctl.max_hbh_opts_len
 ...
> Signed-off-by: Tom Herbert <tom@...ntonium.net>

Applied to net-next, let's see how this goes.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ