lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <Zw1PZVgX/l0thRK0@GHGHG14>
Date: Mon, 14 Oct 2024 18:05:41 +0100
From: Tiago Lam <tiagolam@...udflare.com>
To: willemdebruijn.kernel@...il.com
Cc: netdev@...r.kernel.org, kernel-team@...udflare.com,
	jakub@...udflare.com
Subject: Egressing non-local UDP traffic, IPv4 vs IPv6

Hi Willem et al,

While working/testing the reverse sk_lookup at [1], I came across an
apparent discrepancy between how IPv4 and IPv6 works which I'd like to
understand better.

The bottom line is: setting IP_FREEBIND is enough to allow IPv6 traffic
to egress from a non-local IP address (i.e. an IP not assigned to any
loopback nor any local route in the metal). For IPv4 traffic, one needs
to set IP_TRANSPARENT, which requires special permissions.

The following python snippets show this divergence in practice.

IPv4 (needs sudo for using IP_TRANSPARENT):
```
sudo python -c '
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# 15 stands for IP_FREEBIND, and fails if set on its own.
#s.setsockopt(socket.SOL_IP, 15, 1)
s.setsockopt(socket.SOL_IP, socket.IP_TRANSPARENT, 1)
s.bind(("2.2.2.2", 0))
s.sendto(b"x" * 300, ("8.8.8.8", 9))'
```

IPv6 (doesn't need sudo)
```
python -c '
import socket
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_IP, 15, 1)
s.bind(("2001:4860:4860::2222", 0))
s.sendto(b"x" * 300, ("2001:4860:4860::8888", 9))'
```

>From what I can gather, this validation for IPv6 is only done during
bind at [2], when it checks if either IP_FREEBIND or IP_TRANSPARENT is
set when binding to a non-local IP. While IPv4 does the same check
during bind, later it checks if IP_TRANSPARENT is set as part of the
route lookup, at [3]. I don't see a similar validation done for IPv6 if
we egress from a non-local IP.

This is also consistent with what happens when one sets the source IP in
sendmsg using the IP_PKTINFO cmsg, given that in IPv4 the validation is
performed outside of the cmsg handler (again in [3]), but for IPv6 the
validation seems to be performed within the cmsg handler itself, at [4].

So what I'm wondering is if this apparent discrepancy is due to
historical reasons, or if I'm missing something else.

Given IPv6 allows one to egress non-local traffic without
IP_TRANSPARENT, thus without the need to set up special
permissions/capabilities, is there a reason for IPv4 to not behave the
same way?

Thanks,
Tiago.

[1]
https://lore.kernel.org/r/20240913-reverse-sk-lookup-v1-0-e721ea003d4c@cloudflare.com
[2]
https://elixir.bootlin.com/linux/v6.11.3/source/net/ipv6/af_inet6.c#L383
[3]
https://elixir.bootlin.com/linux/v6.11.3/source/net/ipv4/route.c#L2686
[4]
https://elixir.bootlin.com/linux/v6.11.3/source/net/ipv6/datagram.c#L829

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ