lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <a8723a1c-ca6c-ffbe-9a8a-395bef9da8e2@cisco.com>
Date:   Thu, 24 Jun 2021 09:27:38 +0000
From:   "Georg Kohmann (geokohma)" <geokohma@...co.com>
To:     Florian Westphal <fw@...len.de>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "coreteam@...filter.org" <coreteam@...filter.org>,
        "netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "kadlec@...filter.org" <kadlec@...filter.org>,
        "pablo@...filter.org" <pablo@...filter.org>
Subject: Re: [PATCH net] ipv6/netfilter: Drop Packet Too Big with invalid
 payload

On 24.06.2021 11:05, Florian Westphal wrote:
> Georg Kohmann <geokohma@...co.com> wrote:
>> PMTU is updated even though received ICMPv6 PTB do not match any
>> transmitted traffic. This breaks TAHI IPv6 Core Conformance Test
>> Revision 5.0.1, v6LC.4.1.12 Validate Packet Too Big[1].
>>
>> Referring to RFC8201 IPv6 Path MTU Discovery, section 4: "Nodes should
>> appropriately validate the payload of ICMPv6 PTB messages to ensure
>> these are received in response to transmitted traffic (i.e., a reported
>> error condition that corresponds to an IPv6 packet actually sent by the
>> application) per [ICMPv6]."
>>
>> nf_conntrack_inet_error() return -NF_ACCEPT if the inner header of
>> ICMPv6 error packet is not related to an existing connection. Drop PTB
>> packet when this occur. This will prevent ipv6 from handling the packet
>> and update the PMTU.
> This is intentional. We try to not auto-drop packets in conntrack.
>
> Packet is marked as invalid, users can add nft/iptables rules to discard
> such packets if they want to do so.
Ah, dropping patch then, thank you.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ