| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260119211212.55026-1-tom@herbertland.com>
Date: Mon, 19 Jan 2026 13:12:05 -0800
From: Tom Herbert <tom@...bertland.com>
To: davem@...emloft.net,
kuba@...nel.org,
netdev@...r.kernel.org,
justin.iurman@...ege.be
Cc: Tom Herbert <tom@...bertland.com>
Subject: [PATCH net-next v3 0/7] ipv6: Address ext hdr DoS vulnerabilities
IPv6 extension headers are defined to be quite open ended with few
limits. For instance, RFC8200 requires a receiver to process any
number of extension headers in a packet in any order. This flexiblity
comes at the cost of a potential Denial of Service attack. The only
thing that might mitigate the DoS attacks is the fact that packets
with extension headers experience high drop rates on the Internet so
that a DoS attack based on extension wouldn't be very effective at
Internet scale.
This patch set addresses some of the more egregious vulnerabilities
of extension headers to DoS attack.
- If sysctl.max_dst_opts_cnt or hbh_opts_cnt are set to 0 then that
disallows packets with Destination Options or Hop-by-Hop Options even
if the packet contain zero non-padding options
- Add a case for IPV6_TLV_TNL_ENCAP_LIMIT in the switch on TLV type
in ip6_parse_tlv function. This TLV is handled in tunnel processing,
however it needs to be detected in ip6_parse_tlv to properly account
for it as recognized non-padding option
- Move IPV6_TLV_TNL_ENCAP_LIMIT to uapi/linux/in6.h so that all the
TLV definitions are in one place
- Set the default limits of non-padding Hop-by-Hop and Destination
options to 2. This means that if a packet contains more then two
non-padding options then it will be dropped. The previous limit
was 8, but that was too liberal considering that the stack only
support two Destination Options and the most Hop-by-Hop options
likely to ever be in the same packet are IOAM and JUMBO. The limit
can be increased via sysctl for private use and experimentation
- Enforce RFC8200 recommended ordering of Extension Headers. This
also enforces that any Extension Header occurs at most once
in a packet (Destination Options before the Routing Header is
considered deprecated, so Destination Options may only appear once).
The enforce_ext_hdr_order sysctl controls enforcement. If it's set
to true then order is enforced, if it's set to false then neither
order nor number of occurrences are enforced.
The enforced ordering is:
IPv6 header
Hop-by-Hop Options header
Routing header
Fragment header
Authentication header
Encapsulating Security Payload header
Destination Options header
Upper-Layer header
Tom Herbert (7):
ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is
ipv6: Add case for IPV6_TLV_TNL_ENCAP_LIMIT in EH TLV switch
ipv6: Cleanup IPv6 TLV definitions
ipv6: Set HBH and DestOpt limits to 2
ipv6: Document defaults for max_{dst|hbh}_opts_number sysctls
ipv6: Enforce Extension Header ordering
ipv6: Document enforce_ext_hdr_order sysctl
Tom Herbert (7):
ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is
ipv6: Add case for IPV6_TLV_TNL_ENCAP_LIMIT in EH TLV switch
ipv6: Cleanup IPv6 TLV definitions
ipv6: Set HBH and DestOpt limits to 2
ipv6: Document defaults for max_{dst|hbh}_opts_number sysctls
ipv6: Enforce Extension Header ordering
ipv6: Document enforce_ext_hdr_order sysctl
Documentation/networking/ip-sysctl.rst | 53 +++++++++++++++++++++-----
include/net/ipv6.h | 9 +++--
include/net/netns/ipv6.h | 1 +
include/net/protocol.h | 16 ++++++++
include/uapi/linux/in6.h | 21 ++++++----
include/uapi/linux/ip6_tunnel.h | 1 -
net/ipv6/af_inet6.c | 1 +
net/ipv6/exthdrs.c | 20 ++++++++--
net/ipv6/ip6_input.c | 14 +++++++
net/ipv6/reassembly.c | 1 +
net/ipv6/sysctl_net_ipv6.c | 7 ++++
net/ipv6/xfrm6_protocol.c | 2 +
12 files changed, 123 insertions(+), 23 deletions(-)
--
2.43.0
Powered by blists - more mailing lists