Groups | Search | Server Info | Login | Register

Groups > linux.debian.maint.ipv6 > #144

IPv6 equivalent of secure_redirects

From Dheeraj Kandula <dkandula@gmail.com>
Newsgroups linux.debian.maint.ipv6
Subject IPv6 equivalent of secure_redirects
Date 2022-06-16 16:50 +0200
Message-ID <EyYYN-5cX0-5@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi All,
      In IPv4, while validating received ICMPv4 redirects, we use
secure_redirects.

When set to 1, the destination router suggested in the redirect message
should be one of the default gateways known to the host.

net.ipv4.conf.all.secure_redirects = 1

*Is there an equivalent one for IPv6? I couldn't find one. *

Also, *is there a check if the source from which the ICMP redirect is sent
is known to us or not.*

I came across the function isatap_chksrc code in net/ipv6/sit.c file. The
following lines of code do they ensure that the source is known to the host
that received the redirect, or is it part of tunneling code.

if (p) {
		if (p->flags & PRL_DEFAULT
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/PRL_DEFAULT>)
			skb->ndisc_nodetype
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> =
NDISC_NODETYPE_DEFAULT
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_DEFAULT>;
		else
			skb->ndisc_nodetype
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> =
NDISC_NODETYPE_NODEFAULT
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_NODEFAULT>;
	} else {
		const struct in6_addr
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/in6_addr> *addr6
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6> = &ipv6_hdr
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_hdr>(skb)->saddr
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr>;

		if (ipv6_addr_is_isatap
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_addr_is_isatap>(addr6
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>) &&
		    (addr6 <https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>->s6_addr32
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/s6_addr32>[3] ==
iph <https://elixir.bootlin.com/linux/v5.10.122/C/ident/iph>->saddr
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr>) &&
		    ipv6_chk_prefix
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_chk_prefix>(addr6
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>, t->dev))
			skb->ndisc_nodetype
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> =
NDISC_NODETYPE_HOST
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_HOST>;
		else
			ok <https://elixir.bootlin.com/linux/v5.10.122/C/ident/ok> = 0;
	}

Dheeraj

Back to linux.debian.maint.ipv6 | Previous | Next | Find similar

Thread

IPv6 equivalent of secure_redirects Dheeraj Kandula <dkandula@gmail.com> - 2022-06-16 16:50 +0200

csiph-web