From: Simon Horman <horms@verge•net.au>
To: David Miller <davem@davemloft•net>
Cc: fbl@redhat•com, netdev@vger•kernel.org
Subject: Re: ICMP redirect issue
Date: Sat, 1 Oct 2011 12:22:56 +0900 [thread overview]
Message-ID: <20111001032255.GG2781@verge.net.au> (raw)
In-Reply-To: <20110928.191255.1803703769504267178.davem@davemloft.net>
On Wed, Sep 28, 2011 at 07:12:55PM -0400, David Miller wrote:
> From: David Miller <davem@davemloft•net>
> Date: Wed, 28 Sep 2011 18:56:54 -0400 (EDT)
>
> > From: Flavio Leitner <fbl@redhat•com>
> > Date: Wed, 28 Sep 2011 17:19:52 -0300
> >
> >> What about something like below? It will change a bit the
> >> secure_redirects documentation.
> >
> > The previous check was stronger, and served other purposes.
> >
> > Firstly, it required that the spoofer know the exact gateway
> > IP address we used previously, whereas your test requires only
> > knowing the subnet which is easier to figure out.
> >
> > But more importantly, the old test allowed us to ignore outdated
> > or erroneous redirects.
> >
> > We really have to restore the original behavior before my inetpeer
> > changes (enforce that the old gateway matches), and find another way
> > to accomodate IPVS.
>
> BTW, I just double-checked RFC1122 and it explicitly specifies the
> old_gw check:
>
> [ RFC1122, section 3.2.2.2 ]
>
> ...
>
> A Redirect message SHOULD be silently discarded if the new
> gateway address it specifies is not on the same connected
> (sub-) net through which the Redirect arrived [INTRO:2,
> Appendix A], or if the source of the Redirect is not the
> current first-hop gateway for the specified destination (see
> Section 3.3.1).
>
> In fact, it's saying that we should also validate that saddr == old_gw
> too.
>
> So really, we need to put the check back and find a way to accomodate IPVS.
Hi Dave,
I'm have to admit that this issues is new to me.
But doesn't it affect any setup where a secondary
address is being used as the gateway and the gateway
send an ICMP redirect?
Perhaps an option to weaken the check for these cases
would provide a work-around for those who need it.
Or does that break your inetpeer changes horribly?
prev parent reply other threads:[~2011-10-01 3:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-27 19:21 ICMP redirect issue Flavio Leitner
2011-09-28 18:06 ` David Miller
2011-09-28 20:19 ` Flavio Leitner
2011-09-28 22:56 ` David Miller
2011-09-28 23:12 ` David Miller
2011-10-01 3:22 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111001032255.GG2781@verge.net.au \
--to=horms@verge$(echo .)net.au \
--cc=davem@davemloft$(echo .)net \
--cc=fbl@redhat$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox