Patchwork ipv6: add anti-spoofing checks for 6to4 and 6rd

login
register
mail settings
Submitter Hannes Frederic Sowa
Date Jan. 18, 2013, 8:04 p.m.
Message ID <20130118200416.GB4795@order.stressinduktion.org>
Download mbox | patch
Permalink /patch/213740/
State Changes Requested
Delegated to: David Miller
Headers show

Comments

Hannes Frederic Sowa - Jan. 18, 2013, 8:04 p.m.
This patch adds anti-spoofing checks in sit.c as specified in RFC3964
section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
checks which could easily be implemented with netfilter.

Specifically this patch adds following logic (based loosely on the
pseudocode in RFC3964 section 5.2):

if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default)
        and outer_src_v4 != embedded_ipv4 (inner_src_v6)
                drop
if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default)
        and outer_dst_v4 != embedded_ipv4 (inner_dst_v6)
                drop
accept

To accomplish the specified security checks proposed by above RFCs,
it is still necessary to employ uRPF filters with netfilter. These new
checks only kick in if the employed addresses are within the 2002::/16 or
another range specified by the 6rd-prefix (which defaults to 2002::/16).

Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
 net/ipv6/sit.c | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)
YOSHIFUJI Hideaki / 吉藤英明 - Jan. 19, 2013, 1:35 a.m.
(2013年01月19日 05:04), Hannes Frederic Sowa wrote:
> This patch adds anti-spoofing checks in sit.c as specified in RFC3964
> section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
> checks which could easily be implemented with netfilter.
> 
> Specifically this patch adds following logic (based loosely on the
> pseudocode in RFC3964 section 5.2):
> 
> if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default)
>         and outer_src_v4 != embedded_ipv4 (inner_src_v6)
>                 drop
> if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default)
>         and outer_dst_v4 != embedded_ipv4 (inner_dst_v6)
>                 drop
> accept
> 
> To accomplish the specified security checks proposed by above RFCs,
> it is still necessary to employ uRPF filters with netfilter. These new
> checks only kick in if the employed addresses are within the 2002::/16 or
> another range specified by the 6rd-prefix (which defaults to 2002::/16).

It seems this breaks 6rd receiving rules:

BR:
	if (outer src ip4 != embedded src ip4)
		drop();
CE:
	if (outer src ip4 != embedded src ip4 ||
	    inner dest ip6 != configured ip6 prefix)
		drop();

No?

--yoshfuji
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Hannes Frederic Sowa - Jan. 20, 2013, 3:37 a.m.
On Sat, Jan 19, 2013 at 10:35:49AM +0900, YOSHIFUJI Hideaki wrote:
> (2013年01月19日 05:04), Hannes Frederic Sowa wrote:
> > This patch adds anti-spoofing checks in sit.c as specified in RFC3964
> > section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
> > checks which could easily be implemented with netfilter.
> > 
> > Specifically this patch adds following logic (based loosely on the
> > pseudocode in RFC3964 section 5.2):
> > 
> > if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default)
> >         and outer_src_v4 != embedded_ipv4 (inner_src_v6)
> >                 drop
> > if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default)
> >         and outer_dst_v4 != embedded_ipv4 (inner_dst_v6)
> >                 drop
> > accept
> > 
> > To accomplish the specified security checks proposed by above RFCs,
> > it is still necessary to employ uRPF filters with netfilter. These new
> > checks only kick in if the employed addresses are within the 2002::/16 or
> > another range specified by the 6rd-prefix (which defaults to 2002::/16).
> 
> It seems this breaks 6rd receiving rules:
> 
> BR:
> 	if (outer src ip4 != embedded src ip4)
> 		drop();
> CE:
> 	if (outer src ip4 != embedded src ip4 ||
> 	    inner dest ip6 != configured ip6 prefix)
> 		drop();
> 
> No?

Could you give me a concrete example? I have tested this patch on BR
and CE with different 6rd prefixes (and lengths) and have not seen
any breakage. Perhaps I am missing something.

Thanks,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Hannes Frederic Sowa - Jan. 22, 2013, 8:20 a.m.
Hello!

On Sat, Jan 19, 2013 at 10:35:49AM +0900, YOSHIFUJI Hideaki wrote:
> It seems this breaks 6rd receiving rules:
> 
> BR:
> 	if (outer src ip4 != embedded src ip4)
> 		drop();

Of course, this would break 6rd as would it break 6to4. Note here, that
I also check for the inner ipv6 prefix. This check is only done, if the
inner ipv6 prefix matches a) the 6to4 prefix or b) the 6rd prefix. In 6rd,
as in 6to4, communication between 6rd nodes should take place directly,
without need for a relay. (Otherwise packets would get dropped, because
both source and destination ipv6 address would be in the 6rd/6to4 prefix
and the ipv4 addresses would not match, because one of them would be
the relay address.)

> CE:
> 	if (outer src ip4 != embedded src ip4 ||
> 	    inner dest ip6 != configured ip6 prefix)
> 		drop();

Dito, would also break 6to4. Every packet from non-6rd domain would
violate this rule. I do also check the 6rd/6to4 prefix in this case.

In general, if the inner ipv6 address, regardless of source or
destination, does not match the 6rd/6to4 prefix, the packet will pass
without further checks from my patch.

> 
> No?

I think that the distinction between BR and CE would make thinks just
more complicated. Also 6rd can be seen as a superset of 6to4 and should
not make any changes to the receiving rules, except being more tight.

Thanks,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index cfba99b..5a09f13 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -73,6 +73,8 @@  static int ipip6_tunnel_init(struct net_device *dev);
 static void ipip6_tunnel_setup(struct net_device *dev);
 static void ipip6_dev_free(struct net_device *dev);
 static struct rtnl_link_ops sit_link_ops __read_mostly;
+static inline __be32 try_6rd(const struct in6_addr *v6dst,
+			     struct ip_tunnel *tunnel);
 
 static int sit_net_id __read_mostly;
 struct sit_net {
@@ -590,6 +592,22 @@  out:
 	return err;
 }
 
+static int sit_chk_encap_addr(struct ip_tunnel *tunnel, const __be32 *addr,
+			      const struct in6_addr *addr6)
+{
+#ifdef CONFIG_IPV6_SIT_6RD
+	if (ipv6_prefix_equal(addr6, &tunnel->ip6rd.prefix,
+			      tunnel->ip6rd.prefixlen) &&
+	    *addr != try_6rd(addr6, tunnel))
+		return 0;
+#else
+	if (addr6->s6_addr16[0] == htons(0x2002) &&
+	    *addr != try_6rd(addr6, tunnel))
+		return 0;
+#endif
+	return 1;
+}
+
 static int ipip6_rcv(struct sk_buff *skb)
 {
 	const struct iphdr *iph;
@@ -613,8 +631,15 @@  static int ipip6_rcv(struct sk_buff *skb)
 		skb->protocol = htons(ETH_P_IPV6);
 		skb->pkt_type = PACKET_HOST;
 
-		if ((tunnel->dev->priv_flags & IFF_ISATAP) &&
-		    !isatap_chksrc(skb, iph, tunnel)) {
+		if (tunnel->dev->priv_flags & IFF_ISATAP) {
+			if (!isatap_chksrc(skb, iph, tunnel)) {
+				tunnel->dev->stats.rx_errors++;
+				goto out;
+			}
+		} else if (!sit_chk_encap_addr(tunnel, &iph->saddr,
+					       &ipv6_hdr(skb)->saddr) ||
+			   !sit_chk_encap_addr(tunnel, &iph->daddr,
+					       &ipv6_hdr(skb)->daddr)) {
 			tunnel->dev->stats.rx_errors++;
 			goto out;
 		}