From: Johannes Berg <johannes@sipsolutions.net>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [RFC] net: ipv4: drop unicast encapsulated in L2 multicast
Date: Wed, 27 Aug 2014 11:05:13 +0200 [thread overview]
Message-ID: <1409130313.2505.3.camel@jlt4.sipsolutions.net> (raw)
In-Reply-To: <1409125114.11976.14.camel@localhost>
On Wed, 2014-08-27 at 09:38 +0200, Hannes Frederic Sowa wrote:
> > And if it's *not* in the IPv6 RFCs, how should we implement this?
>
> I haven't found anything, too. Should I bring this up with IETF?
I don't know if that's really useful? OTOH, there surely must have been
a reason for this to be in the IPv4 RFC, so maybe for that same reason
it should also be in the IPv6 RFC?
However, in our particular case, it's really meant only to close the
so-called "hole-196" vulnerability where rogue clients in your network
can abuse the GTK to do some attacks. Those attacks are also always
possible on non-managed ethernet segments, but those can be segregated
more easily by client than shared medium wireless.
This is only one building block for addressing the vulnerability. The
idea here was that in the wireless stack we already check
frame encrypted with GTK => must have multicast destination address
and in the IPv4 stack we can check
frame has multicast destination address => must have multicast/broadcast
IP addr
This would address this point.
The question now is, in the absence of such a latter required check (and
indeed, in the case of CLUSTERIP), how we implement such a check.
Perhaps a sysctl is needed after all?
johannes
next prev parent reply other threads:[~2014-08-27 9:05 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-21 17:22 [RFC] net: ipv4: drop unicast encapsulated in L2 multicast Johannes Berg
2014-08-21 17:32 ` Johannes Berg
[not found] ` <1408642331.4388.2.camel-8Nb76shvtaUJvtFkdXX2HixXY32XiHfO@public.gmane.org>
2014-08-27 7:38 ` Hannes Frederic Sowa
2014-08-27 9:05 ` Johannes Berg [this message]
2014-08-27 9:53 ` Hannes Frederic Sowa
2014-09-02 9:36 ` Johannes Berg
2014-09-03 1:59 ` YOSHIFUJI Hideaki
[not found] ` <540675F2.1030308-GmhWrQMWH5w7YuNMryXyOw@public.gmane.org>
2014-09-02 22:03 ` David Miller
[not found] ` <20140902.150326.1420682815750767731.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2014-09-03 12:01 ` Hannes Frederic Sowa
2014-08-21 19:51 ` Julian Anastasov
[not found] ` <alpine.LFD.2.11.1408212119510.1896-c1lBKlETG9EWAawoAK+ZAw@public.gmane.org>
2014-08-22 17:54 ` David Miller
2014-08-27 9:13 ` Johannes Berg
[not found] ` <1409130792.2505.5.camel-8Nb76shvtaUJvtFkdXX2HixXY32XiHfO@public.gmane.org>
2014-08-27 10:23 ` Julian Anastasov
[not found] ` <alpine.LFD.2.11.1408271255230.2348-c1lBKlETG9EWAawoAK+ZAw@public.gmane.org>
2014-08-27 11:29 ` Johannes Berg
2014-08-27 14:31 ` Julian Anastasov
2014-09-02 9:33 ` Johannes Berg
[not found] ` <20140822.105405.1982870131653082781.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2014-11-20 21:31 ` Johannes Berg
[not found] ` <1408641747-22199-1-git-send-email-johannes-cdvu00un1VgdHxzADdlk8Q@public.gmane.org>
2014-09-02 21:16 ` Stephen Hemminger
2014-09-03 9:40 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1409130313.2505.3.camel@jlt4.sipsolutions.net \
--to=johannes@sipsolutions.net \
--cc=hannes@stressinduktion.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).