netdev
[Top] [All Lists]

Re: source routing honored by hosts?

To: <usagi-users@xxxxxxxxxxxxxx>
Subject: Re: source routing honored by hosts?
From: Pekka Savola <pekkas@xxxxxxxxxx>
Date: Sun, 9 Sep 2001 15:55:21 +0300 (EEST)
Cc: <ak@xxxxxx>, <dlstevens@xxxxxxxxxx>, <netdev@xxxxxxxxxxx>, <davem@xxxxxxxxxx>
In-reply-to: <Pine.LNX.4.33.0109011445490.19412-100000@xxxxxxxxxx>
Sender: owner-netdev@xxxxxxxxxxx
On Sat, 1 Sep 2001, Pekka Savola wrote:
> One could argue, though, that obeying source routing should be togglable,
> as it's impossible to authenticate, and may allow the packets traverse
> where they normally should never be able to go.
>
> (Rather challenging to firewall, too, as real destination can be hidden
> in the routing header options.. urghh..)
>
> And don't you just love....:
>
> Security Considerations
>
>    The security features of IPv6 are described in the Security
>    Architecture for the Internet Protocol [RFC-2401].
>
> sigh.  the ipsec security pixie dust at it again.
>
> Writing to ipng mailing list..

There has not been an "official" statement on ipng IETF list on this, but
the general consensus seems to be that hosts should not forward
source-routed frames, at least by default.

Perhaps it would be time to introduce 'accept_source_route' sysctl toggle
for IPv6 too; some want to turn off doing source routing e.g. in
access-routers and the like.

So, as an intermediate approach, I think what David proposed is a good
way (device-specific forwarding toggle might be a good thing too, but
separate issue to be discussed):

--- linux-2.4/net/ipv6/ip6_output.c     Thu Apr 19 18:38:50 2001
+++ linux-2.4.new/net/ipv6/ip6_output.c Sun Sep  9 14:56:32 2001
@@ -724,7 +724,9 @@
        struct ipv6hdr *hdr = skb->nh.ipv6h;
        struct inet6_skb_parm *opt =(struct inet6_skb_parm*)skb->cb;

-       if (ipv6_devconf.forwarding == 0 && opt->srcrt == 0)
+       /* Note: RFC2460 implies all nodes should do source routing, but it
+          doesn't make sense for hosts and there would be no way to toggle it 
off */
+       if (ipv6_devconf.forwarding == 0)
                goto error;

        skb->ip_summed = CHECKSUM_NONE;

(this practically reverts one of many changes in r1.14 from 3 years ago).

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords




<Prev in Thread] Current Thread [Next in Thread>