| Message ID | 20130118200416.GB4795@order.stressinduktion.org |
|---|---|
| State | Changes Requested, archived |
| Delegated to: | David Miller |
| Headers | show |
(2013年01月19日 05:04), Hannes Frederic Sowa wrote: > This patch adds anti-spoofing checks in sit.c as specified in RFC3964 > section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the > checks which could easily be implemented with netfilter. > > Specifically this patch adds following logic (based loosely on the > pseudocode in RFC3964 section 5.2): > > if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default) > and outer_src_v4 != embedded_ipv4 (inner_src_v6) > drop > if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default) > and outer_dst_v4 != embedded_ipv4 (inner_dst_v6) > drop > accept > > To accomplish the specified security checks proposed by above RFCs, > it is still necessary to employ uRPF filters with netfilter. These new > checks only kick in if the employed addresses are within the 2002::/16 or > another range specified by the 6rd-prefix (which defaults to 2002::/16). It seems this breaks 6rd receiving rules: BR: if (outer src ip4 != embedded src ip4) drop(); CE: if (outer src ip4 != embedded src ip4 || inner dest ip6 != configured ip6 prefix) drop(); No? --yoshfuji -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Jan 19, 2013 at 10:35:49AM +0900, YOSHIFUJI Hideaki wrote: > (2013年01月19日 05:04), Hannes Frederic Sowa wrote: > > This patch adds anti-spoofing checks in sit.c as specified in RFC3964 > > section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the > > checks which could easily be implemented with netfilter. > > > > Specifically this patch adds following logic (based loosely on the > > pseudocode in RFC3964 section 5.2): > > > > if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default) > > and outer_src_v4 != embedded_ipv4 (inner_src_v6) > > drop > > if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default) > > and outer_dst_v4 != embedded_ipv4 (inner_dst_v6) > > drop > > accept > > > > To accomplish the specified security checks proposed by above RFCs, > > it is still necessary to employ uRPF filters with netfilter. These new > > checks only kick in if the employed addresses are within the 2002::/16 or > > another range specified by the 6rd-prefix (which defaults to 2002::/16). > > It seems this breaks 6rd receiving rules: > > BR: > if (outer src ip4 != embedded src ip4) > drop(); > CE: > if (outer src ip4 != embedded src ip4 || > inner dest ip6 != configured ip6 prefix) > drop(); > > No? Could you give me a concrete example? I have tested this patch on BR and CE with different 6rd prefixes (and lengths) and have not seen any breakage. Perhaps I am missing something. Thanks, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hello! On Sat, Jan 19, 2013 at 10:35:49AM +0900, YOSHIFUJI Hideaki wrote: > It seems this breaks 6rd receiving rules: > > BR: > if (outer src ip4 != embedded src ip4) > drop(); Of course, this would break 6rd as would it break 6to4. Note here, that I also check for the inner ipv6 prefix. This check is only done, if the inner ipv6 prefix matches a) the 6to4 prefix or b) the 6rd prefix. In 6rd, as in 6to4, communication between 6rd nodes should take place directly, without need for a relay. (Otherwise packets would get dropped, because both source and destination ipv6 address would be in the 6rd/6to4 prefix and the ipv4 addresses would not match, because one of them would be the relay address.) > CE: > if (outer src ip4 != embedded src ip4 || > inner dest ip6 != configured ip6 prefix) > drop(); Dito, would also break 6to4. Every packet from non-6rd domain would violate this rule. I do also check the 6rd/6to4 prefix in this case. In general, if the inner ipv6 address, regardless of source or destination, does not match the 6rd/6to4 prefix, the packet will pass without further checks from my patch. > > No? I think that the distinction between BR and CE would make thinks just more complicated. Also 6rd can be seen as a superset of 6to4 and should not make any changes to the receiving rules, except being more tight. Thanks, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c index cfba99b..5a09f13 100644 --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -73,6 +73,8 @@ static int ipip6_tunnel_init(struct net_device *dev); static void ipip6_tunnel_setup(struct net_device *dev); static void ipip6_dev_free(struct net_device *dev); static struct rtnl_link_ops sit_link_ops __read_mostly; +static inline __be32 try_6rd(const struct in6_addr *v6dst, + struct ip_tunnel *tunnel); static int sit_net_id __read_mostly; struct sit_net { @@ -590,6 +592,22 @@ out: return err; } +static int sit_chk_encap_addr(struct ip_tunnel *tunnel, const __be32 *addr, + const struct in6_addr *addr6) +{ +#ifdef CONFIG_IPV6_SIT_6RD + if (ipv6_prefix_equal(addr6, &tunnel->ip6rd.prefix, + tunnel->ip6rd.prefixlen) && + *addr != try_6rd(addr6, tunnel)) + return 0; +#else + if (addr6->s6_addr16[0] == htons(0x2002) && + *addr != try_6rd(addr6, tunnel)) + return 0; +#endif + return 1; +} + static int ipip6_rcv(struct sk_buff *skb) { const struct iphdr *iph; @@ -613,8 +631,15 @@ static int ipip6_rcv(struct sk_buff *skb) skb->protocol = htons(ETH_P_IPV6); skb->pkt_type = PACKET_HOST; - if ((tunnel->dev->priv_flags & IFF_ISATAP) && - !isatap_chksrc(skb, iph, tunnel)) { + if (tunnel->dev->priv_flags & IFF_ISATAP) { + if (!isatap_chksrc(skb, iph, tunnel)) { + tunnel->dev->stats.rx_errors++; + goto out; + } + } else if (!sit_chk_encap_addr(tunnel, &iph->saddr, + &ipv6_hdr(skb)->saddr) || + !sit_chk_encap_addr(tunnel, &iph->daddr, + &ipv6_hdr(skb)->daddr)) { tunnel->dev->stats.rx_errors++; goto out; }
This patch adds anti-spoofing checks in sit.c as specified in RFC3964 section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the checks which could easily be implemented with netfilter. Specifically this patch adds following logic (based loosely on the pseudocode in RFC3964 section 5.2): if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default) and outer_src_v4 != embedded_ipv4 (inner_src_v6) drop if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default) and outer_dst_v4 != embedded_ipv4 (inner_dst_v6) drop accept To accomplish the specified security checks proposed by above RFCs, it is still necessary to employ uRPF filters with netfilter. These new checks only kick in if the employed addresses are within the 2002::/16 or another range specified by the 6rd-prefix (which defaults to 2002::/16). Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Cc: David Miller <davem@davemloft.net> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> --- net/ipv6/sit.c | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-)