| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 03 Nov 2017 10:11:08 +0900 (KST) From: David Miller <davem@...emloft.net> To: tom@...ntonium.net Cc: netdev@...r.kernel.org, rohit@...ntonium.net Subject: Re: [PATCH v2 net-next] ipv6: Implement limits on Hop-by-Hop and Destination options From: Tom Herbert <tom@...ntonium.net> Date: Mon, 30 Oct 2017 14:16:00 -0700 > RFC 8200 (IPv6) defines Hop-by-Hop options and Destination options > extension headers. Both of these carry a list of TLVs which is > only limited by the maximum length of the extension header (2048 > bytes). By the spec a host must process all the TLVs in these > options, however these could be used as a fairly obvious > denial of service attack. I think this could in fact be > a significant DOS vector on the Internet, one mitigating > factor might be that many FWs drop all packets with EH (and > obviously this is only IPv6) so an Internet wide attack might not > be so effective (yet!). ... > This patch adds configurable limits to Destination and Hop-by-Hop > options. There are three limits that may be set: > - Limit the number of options in a Hop-by-Hop or Destination options > extension header. > - Limit the byte length of a Hop-by-Hop or Destination options > extension header. > - Disallow unrecognized options in a Hop-by-Hop or Destination > options extension header. > > The limits are set in corresponding sysctls: > > ipv6.sysctl.max_dst_opts_cnt > ipv6.sysctl.max_hbh_opts_cnt > ipv6.sysctl.max_dst_opts_len > ipv6.sysctl.max_hbh_opts_len ... > Signed-off-by: Tom Herbert <tom@...ntonium.net> Applied to net-next, let's see how this goes. Thanks.
Powered by blists - more mailing lists