From: Tom Herbert <tom@herbertland.com>
To: davem@davemloft.net, netdev@vger.kernel.org
Cc: Tom Herbert <tom@quantonium.net>
Subject: [PATCH net-next 3/4] ipv6: Reference RFC8504 for limits in padding and EH
Date: Sun, 26 May 2019 14:15:05 -0700 [thread overview]
Message-ID: <1558905306-2968-4-git-send-email-tom@quantonium.net> (raw)
In-Reply-To: <1558905306-2968-1-git-send-email-tom@quantonium.net>
RFC8504 specifies requirements for applying limits to Hop-by-Hop
and Destination Options extension headers and options (including
padding). Reference this RFC appropriately.
Signed-off-by: Tom Herbert <tom@quantonium.net>
---
include/net/ipv6.h | 9 +++++----
net/ipv6/exthdrs.c | 3 ++-
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index daf8086..fd01823 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -54,10 +54,11 @@
/* Limits on Hop-by-Hop and Destination options.
*
- * Per RFC8200 there is no limit on the maximum number or lengths of options in
- * Hop-by-Hop or Destination options other then the packet must fit in an MTU.
- * We allow configurable limits in order to mitigate potential denial of
- * service attacks.
+ * Section 5.3 of RFC8504 describes limits that may be applied by an
+ * implementation to protect a node from excessive extension header options
+ * (for instance, to protect a node from denial of service attacks where
+ * the attacker sends packets filled with tiny options that will be skipped
+ * by a receiver).
*
* There are three limits that may be set:
* - Limit the number of options in a Hop-by-Hop or Destination options
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index fdb4a32..f0e0f7a 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -153,7 +153,8 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs,
/* RFC 8200 states that the purpose of PadN is
* to align the containing header to multiples
* of 8. 7 is therefore the highest valid value.
- * See also RFC 4942, Section 2.1.9.5.
+ * See also RFC 4942, Section 2.1.9.5, and
+ * RFC 8504, Section 5.3.
*/
padlen += optlen;
if (padlen > 7)
--
2.7.4
next prev parent reply other threads:[~2019-05-26 21:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-26 21:15 [PATCH net-next 0/4] ipv6: Update RFC references and implement ICMP errors for limits Tom Herbert
2019-05-26 21:15 ` [PATCH net-next 1/4] ipv6: Resolve comment that EH processing order is being violated Tom Herbert
2019-05-26 21:15 ` [PATCH net-next 2/4] ipv6: Update references from RFC2460 to RFC8200 Tom Herbert
2019-05-26 21:15 ` Tom Herbert [this message]
2019-05-26 21:15 ` [PATCH net-next 4/4] ipv6: Send ICMP errors for exceeding extension header limits Tom Herbert
2019-05-28 17:54 ` [PATCH net-next 0/4] ipv6: Update RFC references and implement ICMP errors for limits David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1558905306-2968-4-git-send-email-tom@quantonium.net \
--to=tom@herbertland.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=tom@quantonium.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).