In article <20010901122229.64064@xxxxxxxxxxxx> (at Sat, 1 Sep 2001 12:22:29
+0200), Andi Kleen <ak@xxxxxx> says:
> On Sat, Sep 01, 2001 at 01:14:11AM +0200, David Stevens wrote:
> > ip6_forward() has the following two lines:
> >
> > if (ipv6_devconf.forwarding == 0 && opt->srcrt == 0)
> > goto error;
> >
> > Aside from the other issue of per-interface forwarding :-), this appears to
> > allow
> > forwarding of source-routed packets even when the node is a host, only. That
> > seems to be a security hole to me. Suppose you have a multihomed host, or
> > if (ipv6_devconf.forwarding == 0)
> > goto error;
>
> Definitely.
NO. In IPv6, even a node is not a router (i.e. it is a host),
it MUST forward source routed packet. So,
> > if (ipv6_devconf.forwarding == 0 && opt->srcrt == 0)
> > goto error;
is OK.
RFC 2460 says:
4.4 Routing Header
:
If, while processing a received packet, a *node* encounters a Routing
~~~~~~
header with an unrecognized Routing Type value, the required behavior
of the node depends on the value of the Segments Left field, as
follows:
:
While,
2. Terminology
node - a device that implements IPv6.
router - a node that forwards IPv6 packets not explicitly
addressed to itself. [See Note below].
host - any node that is not a router. [See Note below].
--yoshfuji
|