lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 24 Mar 2021 21:19:14 -0600
From:   David Ahern <dsahern@...il.com>
To:     Ron Bonica <rbonica@...iper.net>, Zachary Dodds <zdodds@...il.com>,
        Ishaan Gandhi <ishaangandhi@...il.com>
Cc:     Andreas Roeseler <andreas.a.roeseler@...il.com>,
        David Miller <davem@...emloft.net>,
        Network Development <netdev@...r.kernel.org>,
        Stephen Hemminger <stephen@...workplumber.org>,
        Willem de Bruijn <willemdebruijn.kernel@...il.com>,
        "junipeross20@...hmc.edu" <junipeross20@...hmc.edu>
Subject: Re: rfc5837 and rfc8335

On 3/23/21 10:39 AM, Ron Bonica wrote:
> Hi Folks,
> 
>  
> 
> The rationale for RFC 8335 can be found in Section 5.0 of that document.
> Currently, ICMP ECHO and ECHO RESPONSE messages can be used to determine
> the liveness of some interfaces. However, they cannot determine the
> liveness of:
> 
>  
> 
>   * An unnumbered IPv4 interface
>   * An IPv6 interface that has only a link-local address
> 
>  
> 
> A router can have hundreds, or even thousands of interfaces that fall
> into these categories.
> 
>  
> 
> The rational for RFC 5837 can be found in the Introduction to that
> document. When a node sends an ICMP TTL Expired message, the node
> reports that a packet has expired on it. However, the source address of
> the ICMP TTL Expired message doesn’t necessarily identify the interface
> upon which the packet arrived. So, TRACEROUTE can be relied upon to
> identify the nodes that a packet traverses along its delivery path. But
> it cannot be relied upon to identify the interfaces that a packet
> traversed along its deliver path.
> 
>  

It's not a question of the rationale; the question is why add this
support to Linux now? RFC 5837 is 11 years old. Why has no one cared to
add support before now? What tooling supports it? What other NOS'es
support it to really make the feature meaningful? e.g., Do you know what
Juniper products support RFC 5837 today?

More than likely Linux is the end node of the traceroute chain, not the
transit or path nodes. With Linux, the ingress interface can lost in the
layers (NIC port, vlan, bond, bridge, vrf, macvlan), and to properly
support either you need to return information about the right one.
Unnumbered interfaces can make that more of a challenge.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ