From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Cc: netfilter-devel@vger.kernel.org, linux-sctp@vger.kernel.org,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
mkubecek@suse.cz
Subject: Re: [PATCH] netfilter: nf_ct_sctp: validate vtag for new conntrack entries
Date: Mon, 04 Jan 2016 12:11:49 +0000 [thread overview]
Message-ID: <20160104121149.GA3941@salvia> (raw)
In-Reply-To: <20151230114918.GA16270@localhost.localdomain>
Hi Marcelo,
On Wed, Dec 30, 2015 at 09:49:18AM -0200, Marcelo Ricardo Leitner wrote:
> Please don't. Currently there is no other way to do it. The check I want
> to add only works on a corner case of what we already have, on which we
> can do better. It's just that. The way Michal handled the state
> transitions is very good and the fact that the conntrack entries are
> created as NEW, makes them pass the same user validation rules as a real
> new association would do. So there can't be any hitch-hicking...
>
> And for vtag probing, that's not an issue either because SCTP just drops
> such heartbeat requests with invalid vtags (at sctp_sf_beat_8_3).
>
> The only vector of attack I can think of that the initial multi-homing
> support would allow is a DoS, a flood of incoming heartbeat requests.
> Such flood would _not_ end up on the association buffer because if the
> transport tuple (src ip, dst ip, src port, dst port) doesn't match a
> known association, it's discarded. It's just as any other DoS, but as
> they pass the same user validation rules, there should be rules
> restricting the rate or IP range or something like that if user is
> worried with that. Nothing that could jeopardize the original
> association.
>
> Note that the transport validation is performed before the vtag one, and
> the stack behavior is to also drop out of the blue packets silently.
> Meaning that even if the attacker get a hit at the 32-bit vtag, it will
> be discarded by the transport validation firstly.
Makes sense indeed, thanks for explaining. Then we have to find a
incremental path to extend Michal change to make it fit into what we
have.
> So what my patch add to it, it pulls/adds this vtag check to an earlier
> moment, from the stack itself to the firewall, so that the peer
> firewall will be a bit more stateful.
Please check if you can fit part of this logic into l4proto->error(),
just like ICMP v4 protocol tracker.
BTW, I think these new flows should enter as RELATED, not as NEW, just
like ICMP protocol tracker does.
Your patch basically looks to me like an ad-hoc expectation
infrastructure to handle this case.
Thanks.
WARNING: multiple messages have this Message-ID (diff)
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Cc: netfilter-devel@vger.kernel.org, linux-sctp@vger.kernel.org,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
mkubecek@suse.cz
Subject: Re: [PATCH] netfilter: nf_ct_sctp: validate vtag for new conntrack entries
Date: Mon, 4 Jan 2016 13:11:49 +0100 [thread overview]
Message-ID: <20160104121149.GA3941@salvia> (raw)
In-Reply-To: <20151230114918.GA16270@localhost.localdomain>
Hi Marcelo,
On Wed, Dec 30, 2015 at 09:49:18AM -0200, Marcelo Ricardo Leitner wrote:
> Please don't. Currently there is no other way to do it. The check I want
> to add only works on a corner case of what we already have, on which we
> can do better. It's just that. The way Michal handled the state
> transitions is very good and the fact that the conntrack entries are
> created as NEW, makes them pass the same user validation rules as a real
> new association would do. So there can't be any hitch-hicking...
>
> And for vtag probing, that's not an issue either because SCTP just drops
> such heartbeat requests with invalid vtags (at sctp_sf_beat_8_3).
>
> The only vector of attack I can think of that the initial multi-homing
> support would allow is a DoS, a flood of incoming heartbeat requests.
> Such flood would _not_ end up on the association buffer because if the
> transport tuple (src ip, dst ip, src port, dst port) doesn't match a
> known association, it's discarded. It's just as any other DoS, but as
> they pass the same user validation rules, there should be rules
> restricting the rate or IP range or something like that if user is
> worried with that. Nothing that could jeopardize the original
> association.
>
> Note that the transport validation is performed before the vtag one, and
> the stack behavior is to also drop out of the blue packets silently.
> Meaning that even if the attacker get a hit at the 32-bit vtag, it will
> be discarded by the transport validation firstly.
Makes sense indeed, thanks for explaining. Then we have to find a
incremental path to extend Michal change to make it fit into what we
have.
> So what my patch add to it, it pulls/adds this vtag check to an earlier
> moment, from the stack itself to the firewall, so that the peer
> firewall will be a bit more stateful.
Please check if you can fit part of this logic into l4proto->error(),
just like ICMP v4 protocol tracker.
BTW, I think these new flows should enter as RELATED, not as NEW, just
like ICMP protocol tracker does.
Your patch basically looks to me like an ad-hoc expectation
infrastructure to handle this case.
Thanks.
next prev parent reply other threads:[~2016-01-04 12:11 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-08 13:11 [PATCH] netfilter: nf_ct_sctp: validate vtag for new conntrack entries Marcelo Ricardo Leitner
2015-12-08 13:11 ` Marcelo Ricardo Leitner
2015-12-10 12:02 ` Pablo Neira Ayuso
2015-12-10 12:02 ` Pablo Neira Ayuso
2015-12-10 13:16 ` Marcelo Ricardo Leitner
2015-12-10 13:16 ` Marcelo Ricardo Leitner
2015-12-10 13:42 ` Pablo Neira Ayuso
2015-12-10 13:42 ` Pablo Neira Ayuso
2015-12-10 14:06 ` Marcelo Ricardo Leitner
2015-12-10 14:06 ` Marcelo Ricardo Leitner
2015-12-10 17:06 ` Pablo Neira Ayuso
2015-12-10 17:06 ` Pablo Neira Ayuso
2015-12-15 19:03 ` Marcelo Ricardo Leitner
2015-12-15 19:03 ` Marcelo Ricardo Leitner
2015-12-17 11:05 ` Pablo Neira Ayuso
2015-12-17 11:05 ` Pablo Neira Ayuso
2015-12-24 12:50 ` Marcelo Ricardo Leitner
2015-12-24 12:50 ` Marcelo Ricardo Leitner
2015-12-30 0:03 ` Pablo Neira Ayuso
2015-12-30 0:03 ` Pablo Neira Ayuso
2015-12-30 11:49 ` Marcelo Ricardo Leitner
2015-12-30 11:49 ` Marcelo Ricardo Leitner
2016-01-04 12:11 ` Pablo Neira Ayuso [this message]
2016-01-04 12:11 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160104121149.GA3941@salvia \
--to=pablo@netfilter.org \
--cc=linux-sctp@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=mkubecek@suse.cz \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.