| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251112001744.24479-3-tom@herbertland.com> Date: Tue, 11 Nov 2025 16:16:00 -0800 From: Tom Herbert <tom@...bertland.com> To: tom@...bertland.com, davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org Subject: [RFC net-next 2/3] ipv6: Disable IPv6 Destination Options RX processing by default Set IP6_DEFAULT_MAX_HBH_OPTS_CNT to zero. This disables processing of Destinations Options extension headers by default. Processing can be enabled by setting the net.ipv6.max_dst_opts_number to a non-zero value. The rationale for this is that Destination Options pose a serious risk of Denial off Service attack. The problem is that even if the default limit is set to a small number (previously it was eight) there is still the possibility of a DoS attack. All an attacker needs to do is create and MTU size packet filled with 8 bytes Destination Options Extension Headers. Each Destination EH simply contains a single padding option with six bytes of zeroes. In a 1500 byte MTU size packet, 182 of these dummy Destination Options headers can be placed in a packet. Per RFC8200, a host must accept and process a packet with any number of Destination Options extension headers. So when the stack processes such a packet it is a lot of work and CPU cycles that provide zero benefit. The packet can be designed such that every byte after the IP header requires a conditional check and branch prediction can be rendered useless for that. This also may mean over twenty cache misses per packet. In other words, these packets filled with dummy Destination Options extension headers are the basis for what would be an effective DoS attack. Disabling Destination Options is not a major issue for the following reasons: * Linux kernel only supports one Destination Option (Home Address Option). There is no evidence this has seen any real world use * On the Internet packets with Destination Options are dropped with a high enough rate such that use of Destination Options is not feasible * It is unknown however quite possible that no one anywhere is using Destination Options for anything but experiments, class projects, or DoS. If someone is using them in their private network then it's easy enough to configure a non-zero limit for their use case --- include/net/ipv6.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/include/net/ipv6.h b/include/net/ipv6.h index 74fbf1ad8065..723a254c0b90 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h @@ -86,8 +86,11 @@ struct ip_tunnel_info; * silently discarded. */ -/* Default limits for Hop-by-Hop and Destination options */ -#define IP6_DEFAULT_MAX_DST_OPTS_CNT 8 +/* Default limits for Hop-by-Hop and Destination options. By default + * packets received with Destination Options headers are dropped to thwart + * Denial of Service attacks (see sysctl documention) + */ +#define IP6_DEFAULT_MAX_DST_OPTS_CNT 0 #define IP6_DEFAULT_MAX_HBH_OPTS_CNT 8 #define IP6_DEFAULT_MAX_DST_OPTS_LEN INT_MAX /* No limit */ #define IP6_DEFAULT_MAX_HBH_OPTS_LEN INT_MAX /* No limit */ -- 2.43.0
Powered by blists - more mailing lists