lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date:   Tue, 22 Feb 2022 17:08:30 -0500
From:   Matthew Oswalt <moswalt@...udflare.com>
To:     netdev@...r.kernel.org
Cc:     kernel-team@...udflare.com
Subject: Historical reason for differences in v4/v6 Any-IP for nonlocal binds

Hello all,

I'm working with binding TCP sockets to nonlocal addresses (not
configured on an interface). I noticed that both IPv4 and IPv6 sockets
will succeed using options like IP_FREEBIND, but unlike IPv6, sockets
using IPv4 can also succeed if a matching Any-IP route is present,
without configuring any options or sysctl settings.

I noticed an old email in this mailing list that also describes this behavior:
https://lore.kernel.org/netdev/CAMdqG7Wci6HD19rc9u4RK-_Wdh3pqQvQ7b3J5O=2SJs9NeyTJA@mail.gmail.com/

I'm running a somewhat recent kernel (5.10) and my testing shows
identical results using TCP as well, so I believe this is still true.
For IPv4 sockets, either the presence of a matching Any-IP route,
**or** setting IP_FREEBIND (etc), results in a successful bind() to a
nonlocal address. However, with IPv6, it doesn't appear to matter
whether or not an Any-IP route is present. For these to succeed, an
option like IP_FREEBIND **must** be set (or
ipv6.sysctl.ip_nonlocal_bind, or IP_TRANSPARENT I believe would also
work).

After looking through "net/af_inet6.c" a bit, it seems obvious that
this is intended behavior. I believe I'm able to follow that bit of
the kernel code and understand how the decision is made.

However, is there any historical reason for this discrepancy? Why does
the IPv4 implementation perform a FIB lookup and allow a bind to
proceed if an Any-IP route is found, but the IPv6 implementation
doesn't? I'm really just curious if there is a specific reason why
this aspect of the IPv4 implementation wasn't brought over to the IPv6
implementation, or if it was just left out in favor of the more
explicit approach via options like IP_FREEBIND, or any other reason I
could be missing.

Thanks,

Matt Oswalt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ