lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <040f897e-edde-a772-ca81-cd8f5a6857b1@uliege.be> Date: Wed, 30 Mar 2022 11:53:37 +0200 From: Justin Iurman <justin.iurman@...ege.be> To: David Ahern <dsahern@...nel.org>, netdev@...r.kernel.org Cc: davem@...emloft.net, yoshfuji@...ux-ipv6.org, kuba@...nel.org, pabeni@...hat.com Subject: Re: [RFC net] Discuss seg6 potential wrong behavior Hi David, Thanks for your feedback and sorry for the delay in my response. On 3/23/22 03:10, David Ahern wrote: > On 3/18/22 2:21 PM, Justin Iurman wrote: >> This thread aims to discuss a potential wrong behavior regarding seg6 >> (as well as rpl). I'm curious to know if there is a specific reason for >> discarding the packet when seg6 is not enabled on an interface and when > > that is standard. MPLS for example does the same. I guess you mean "standard" from a kernel implementation point of view, not from the RFC one, right? Again, I understand *why* it would be implemented the current way so that one doesn't bother distinguishing between the case I mentioned and other cases (only talking about routing headers here, did not give a look at the mpls implementation nor RFCs). But still, I can't stop thinking it's wrong, especially when the RFC (more than) suggests the opposite. Indeed, having the case (!seg6_enabled && segments_left == 0) is not harmful for a node (only if nexthdr != (IPv6||IPv4) of course, otherwise there could probably be something suspicious). So, right now, if an operator forgets to enable it on one of its egresses, the packet is just silently dropped. And there goes the wasted time trying to figure out what's wrong. Also, let's just assume that you want your packet to be sent towards a destination Y, and going through a specific node X on the path. As long as you don't cross a domain/AS where seg6 is enabled, your packet goes through. Fine, but, if you don't own the destination and it runs a Linux kernel, the packet will be discarded if seg6 is not enabled (which is the case for each interface, by default). Which is sad, because there is literally nothing to do and the packet should be accepted. So, the correct way of handling this specific case mentioned previously (which is also in the RFC) would be to continue processing next header. It would semantically sound better. And, such a change would not introduce any issue, whether seg6 is enabled or not in your domain/AS. I insist on this point as it is important. >> segments_left == 0. Indeed, reading RFC8754, I'm not sure this is the > > >> right thing to do. I think it would be more correct to process the next >> header in the packet. It does not make any sense to prevent further >> processing when the SRv6 node has literally nothing to do in that >> specific case. For that, we need to postpone the check of accept_seg6. >> And, in order to avoid a breach, we also check for accept_seg6 before >> decapsulation when segments_left == 0. Any comments on this? >> >> Also, I'm not sure why accept_seg6 is set the current way. Are we not >> suppose to prioritize devconf_all? If "all" is set to 1, then it is > > sadly, ipv6 is all over the place with 'all' vs 'dev' settings. I see. Indeed, changing that might bring some compatibility issues depending on configurations. In that case, maybe should we update the documentation for each concerned part, so that people know that "all && dev" is mandatory to enable the feature (at least for seg6, though).
Powered by blists - more mailing lists