From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
To: netdev@vger.kernel.org, hannes@stressinduktion.org
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Subject: Re: [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd
Date: Fri, 18 Jan 2013 00:44:11 +0900 [thread overview]
Message-ID: <50F81C4B.3050406@linux-ipv6.org> (raw)
In-Reply-To: <20130117033258.GA23782@order.stressinduktion.org>
Hannes Frederic Sowa wrote:
> This patch adds anti-spoofing checks in sit.c as specified in RFC3964
> section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
> checks which could easily be implemented with netfilter.
>
> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
> ---
> net/ipv6/sit.c | 27 +++++++++++++++++++++++++--
> 1 file changed, 25 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
> index cfba99b..2b4c15a 100644
> --- a/net/ipv6/sit.c
> +++ b/net/ipv6/sit.c
> @@ -590,6 +590,22 @@ out:
> return err;
> }
>
> +static int sit_chksrc(struct ip_tunnel *tunnel, const __be32 *addr,
> + const struct in6_addr *addr6)
> +{
> +#ifdef CONFIG_IPV6_SIT_6RD
> + if (ipv6_prefix_equal(addr6, &tunnel->ip6rd.prefix,
> + tunnel->ip6rd.prefixlen) &&
> + memcmp(addr, &addr6->s6_addr16[1], 4))
> + return 0;
> +#else
> + if (addr6->s6_addr16[0] == htons(0x2002) &&
> + memcmp(addr, &addr6->s6_addr16[1], 4))
> + return 0;
> +#endif
> + return 1;
>
It seems wrong. Check should be done for
- inner source prefix
- embedded source with relay_prefix.
- inner destination prefix.
Note: embedded destination is not being checked.
--yoshfuji
next prev parent reply other threads:[~2013-01-17 15:44 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-17 3:32 [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd Hannes Frederic Sowa
2013-01-17 13:27 ` Hannes Frederic Sowa
2013-01-17 15:44 ` YOSHIFUJI Hideaki [this message]
2013-01-17 16:17 ` Hannes Frederic Sowa
2013-01-17 20:07 ` Hannes Frederic Sowa
2013-01-18 19:32 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2013-01-18 20:04 Hannes Frederic Sowa
2013-01-19 1:35 ` YOSHIFUJI Hideaki
2013-01-20 3:37 ` Hannes Frederic Sowa
2013-01-22 8:20 ` Hannes Frederic Sowa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50F81C4B.3050406@linux-ipv6.org \
--to=yoshfuji@linux-ipv6.org \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.