lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 12 May 2021 12:43:18 +0800 (CST)
From:   meijusan <meijusan@....com>
To:     "David Ahern" <dsahern@...il.com>
Cc:     "Jakub Kicinski" <kuba@...nel.org>, davem@...emloft.net,
        yoshfuji@...ux-ipv6.org, dsahern@...nel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re:Re: [PATCH] net/ipv4/ip_fragment:fix missing Flags reserved bit
 set in iphdr


At 2021-05-11 11:05:54, "David Ahern" <dsahern@...il.com> wrote:
>On 5/10/21 7:18 PM, meijusan wrote:
>> 
>> At 2021-05-08 06:59:00, "Jakub Kicinski" <kuba@...nel.org> wrote:
>>> On Thu,  6 May 2021 22:59:05 +0800 meijusan wrote:
>>>> ip frag with the iphdr flags reserved bit set,via router,ip frag reasm or
>>>> fragment,causing the reserved bit is reset to zero.
>>>>
>>>> Keep reserved bit set is not modified in ip frag  defrag or fragment.
>>>>
>>>> Signed-off-by: meijusan <meijusan@....com>
>>>
>>> Could you please provide more background on why we'd want to do this?
>> 
>>> Preferably with references to relevant (non-April Fools' Day) RFCs.
>> 
>> [background]
>> the Simple network usage scenarios: the one PC software<--->linux router(L3)/linux bridege(L2,bridge-nf-call-iptables)<--->the other PC software
>> 1)the PC software send the ip packet with the iphdr flags reserved bit is set, when ip packet(not fragments ) via the one linux router/linux bridge,and the iphdr flags reserved bit is not modified;
>> 2)but the ip fragments via router,the linux IP reassembly or fragmentation ,causing the reserved bit is reset to zero,Which leads to The other PC software depending on the reserved bit set  process the Packet failed.
>> [rfc]
>> RFC791
>> Bit 0: reserved, must be zero
>> RFC3514
>> Introduction This bit , but The scene seems different from us,we expect Keep reserved bit set is not modified when forward the linux router
>> 
>> 
>> 
>> 
>> 
>
>Why process the packet at all? If a reserved bit must be 0 and it is

>not, drop the packet.

Sorry, my background description is not clearly described

 the Simple network usage scenarios: one PC software<--->linux router(L3)/linux bridege(L2,bridge-nf-call-iptables)<--->the other PC software
 1)the PC software send the ip packet with the iphdr flags reserved bit is set 1,The packet can pass through the router normally, and the reserved flags bit have not been modified;
 2)When the ip fragment packet passes through the linux router, the linux network protocol stack's re-fragmentation function of the IP fragment causes the first bit of the reserved field of the ip header to be cleared to 0. When the packet reaches the software of another pc, the PC software checks the reserved bit and finds that the reserved bit is not 0,  discard the packet.

 If according to rfc791, the reserved bit must be 0, how does the kernel protocol stack deal with fragmented packets or non-fragmented packets that carry the reserved field bit as 1? I personally think that either all of them are transmitted transparently or all of them are discarded. This needs to be discussed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ