| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cover.1769464405.git.marcdevel@gmail.com> Date: Tue, 27 Jan 2026 00:53:01 +0100 From: Marc Suñé <marcdevel@...il.com> To: kuba@...nel.org, willemdebruijn.kernel@...il.com, pabeni@...hat.com Cc: netdev@...r.kernel.org, dborkman@...nel.org, vadim.fedorenko@...ux.dev, Marc Suñé <marcdevel@...il.com> Subject: [PATCH net v2 0/4] discard ARP/NDP b/mcast/null announce (poison) The current ARP and NDP implementations accept announcements with multicast (broadcast incl.) and null MAC addresses as Sender HW Address (SHA) in ARP or src/target lladdr in NDP, and updates the cache for that neighbour. Multicast (incl. broadcast) and null MAC addresses shall never be associated with a unicast or a multicast IPv4/6 address (see RFC1812, section 3.3.2). ARP/NDP poisioning with a broadcast and certain multicast MAC addresses, especially when poisoning a Gateway IP, have some undesired implications compared to an ARP/NDP poisioning with a regular MAC (see commit message in patch 1 for more information). Worth mentioning that if an attacker is able to ARP/NDP poison in a L2 segment, that in itself is probably a bigger security threat (Man-in-middle etc., see Note2 in patch 1) Since these MACs should never be announced, this patch series discards/drops these packets, which prevents broadcast and multicast ARP/NDP poisoning vectors. This patchset only modifies the behaviour of the neighbouring subsystem when processing network packets. Static entries can still be added with mcast/bcast/null MACs. v1: https://lore.kernel.org/netdev/cover.1766349632.git.marcdevel@gmail.com/ Changes since RFC v1 ==================== - Discard announcements with multicast MAC addresses - Check for dev->type == ARPHRD_ETHER instead of HW addrlen in ARP - Use !is_valid_ether_addr() - Added multicast test coverage and renamed tests accordingly - Dropped patch 5 (scapy utils) Comments ======== As discussed in v1, certain Load Balancers make use of Multicast MAC addresses for their VIPs: https://support.huawei.com/enterprise/en/doc/EDOC1100213154/d8621162/dynamic-learning-of-arp-entries-with-multicast-mac-addresses https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-network-to-support-nlb-operation-mode But as stated in the Microsoft NLB documentation, it is expected that static entries are created for it to work: To support this configuration, you must configure the network infrastructure to use static ARP entries and MAC address table entries. Network switches cannot learn the NLB multicast MAC address in the course of their usual operations. If you skip the manual configuration step, the network switches may flood NLB traffic to all ports or drop packets. The network may seem to function correctly at first, but problems increase over time. Marc Suñé (4): arp: discard invalid sha addr (b/mcast ARP poison) selftests/net: add no ARP b/mcast,null poison test neigh: discard invalid lladdr (b/mcast poison) selftests/net: add no NDP b/mcast,null poison test net/ipv4/arp.c | 8 + net/ipv6/ndisc.c | 16 + tools/testing/selftests/net/.gitignore | 2 + tools/testing/selftests/net/Makefile | 3 + .../net/arp_ndisc_no_invalid_sha_poison.sh | 368 ++++++++++++++++++ tools/testing/selftests/net/arp_send.c | 138 +++++++ tools/testing/selftests/net/ndisc_send.c | 198 ++++++++++ 7 files changed, 733 insertions(+) create mode 100755 tools/testing/selftests/net/arp_ndisc_no_invalid_sha_poison.sh create mode 100644 tools/testing/selftests/net/arp_send.c create mode 100644 tools/testing/selftests/net/ndisc_send.c -- 2.47.3
Powered by blists - more mailing lists