ICMP redirect issue - Flavio Leitner

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Flavio Leitner <fbl@redhat•com>
To: netdev <netdev@vger•kernel.org>
Subject: ICMP redirect issue
Date: Tue, 27 Sep 2011 16:21:20 -0300	[thread overview]
Message-ID: <20110927162120.30394030@asterix.rh> (raw)

Hi,

While investigating an issue on Red Hat Enterprise Linux, I found that
upstream commit below removed the old_gw check.

commit f39925dbde7788cfb96419c0f092b086aa325c0f
Author: David S. Miller <davem@davemloft•net>
Date:   Wed Feb 9 22:00:16 2011 -0800

    ipv4: Cache learned redirect information in inetpeer.

The issue is about the gateway being a LVS, so the servers behind use
the IP alias address as the default gateway.  However, when the gateway
sends an ICMP redirect, it comes from the primary IP address which is
ignored on older kernels because of the old_gw check:

-                               if (rth->rt_dst != daddr ||
-                                   rth->rt_src != saddr ||
-                                   rth->dst.error ||
-                                   rth->rt_gateway != old_gw ||
-                                   rth->dst.dev != dev)
-                                       break;

Well, the consequence is that the issue doesn't happen in newer kernels
because it happily accepts the ICMP redirect.

The admin can still control using shared_media and secure_redirects if
the host should accept only the ICMP redirects for gateways listed in
default gateway list or not.

In terms of a security, if someone manages to send ICMP redirect, then
I think it possible to fake the saddr to appear as coming from the
correct gateway.

So, I'm not seeing a problem, but I was told to bring this up to netdev.
Thoughts?

thanks,
fbl

next             reply	other threads:[~2011-09-27 19:21 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-27 19:21 Flavio Leitner [this message]
2011-09-28 18:06 ` ICMP redirect issue David Miller
2011-09-28 20:19   ` Flavio Leitner
2011-09-28 22:56     ` David Miller
2011-09-28 23:12       ` David Miller
2011-10-01  3:22         ` Simon Horman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110927162120.30394030@asterix.rh \
    --to=fbl@redhat$(echo .)com \
    --cc=netdev@vger$(echo .)kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox