[PATCH] IPv6: Protect proxied addresses against DAD

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] IPv6: Protect proxied addresses against DAD
@ 2003-08-20 11:40 Ville Nuorvala
  2003-08-20 11:43 ` (usagi-core 15040) " YOSHIFUJI Hideaki / 吉藤英明
  2003-08-20 18:24 ` David S. Miller
  0 siblings, 2 replies; 5+ messages in thread
From: Ville Nuorvala @ 2003-08-20 11:40 UTC (permalink / raw)
  To: davem, usagi-core; +Cc: netdev

[-- Attachment #1: Type: TEXT/PLAIN, Size: 402 bytes --]

Hi,

a proxy has to reply to DAD probes, otherwise it can't protect its
addresses. The attached patch fixes this, please apply!

Thanks,
Ville

PS. Dave, you misspelled my email address in csets 1.1199.1.10,
1.1199.1.12 and 1.1199.1.16 ;)
--
Ville Nuorvala
Research Assistant, Institute of Digital Communications,
Helsinki University of Technology
email: vnuorval@tcs.hut.fi, phone: +358 (0)9 451 5257

[-- Attachment #2: Type: TEXT/PLAIN, Size: 1310 bytes --]

--- linux-2.5.OLD/net/ipv6/ndisc.c	2003-08-20 14:10:16.000000000 +0300
+++ linux-2.5/net/ipv6/ndisc.c	2003-08-20 14:10:30.000000000 +0300
@@ -861,7 +861,8 @@
 		struct inet6_dev *in6_dev = in6_dev_get(dev);
 
 		if (in6_dev && in6_dev->cnf.forwarding &&
-		    (addr_type & IPV6_ADDR_UNICAST) &&
+		    (addr_type & IPV6_ADDR_UNICAST ||
+		     addr_type == IPV6_ADDR_ANY) &&
 		    pneigh_lookup(&nd_tbl, &msg->target, dev, 0)) {
 			int inc = ipv6_addr_type(daddr)&IPV6_ADDR_MULTICAST;
 
@@ -874,12 +875,20 @@
 				else
 					nd_tbl.stats.rcv_probes_ucast++;
 					
-				neigh = neigh_event_ns(&nd_tbl, lladdr, saddr, dev);
+				if (addr_type & IPV6_ADDR_UNICAST) {
+					neigh = neigh_event_ns(&nd_tbl, lladdr, saddr, dev);
 
-				if (neigh) {
-					ndisc_send_na(dev, neigh, saddr, &msg->target,
-						      0, 1, 0, 1);
-					neigh_release(neigh);
+					if (neigh) {
+						ndisc_send_na(dev, neigh, saddr, &msg->target,
+							      0, 1, 0, 1);
+						neigh_release(neigh);
+					}
+				} else {
+					/* proxy should also protect against DAD */
+					struct in6_addr maddr;
+					ipv6_addr_all_nodes(&maddr);
+					ndisc_send_na(dev, NULL, &maddr, &msg->target, 
+						      0, 0, 0, 1);
 				}
 			} else {
 				struct sk_buff *n = skb_clone(skb, GFP_ATOMIC);

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: (usagi-core 15040) [PATCH] IPv6: Protect proxied addresses against DAD
  2003-08-20 11:40 [PATCH] IPv6: Protect proxied addresses against DAD Ville Nuorvala
@ 2003-08-20 11:43 ` YOSHIFUJI Hideaki / 吉藤英明
  2003-08-20 12:58   ` Ville Nuorvala
  2003-08-20 18:24 ` David S. Miller
  1 sibling, 1 reply; 5+ messages in thread
From: YOSHIFUJI Hideaki / 吉藤英明 @ 2003-08-20 11:43 UTC (permalink / raw)
  To: vnuorval; +Cc: davem, netdev, usagi-core

In article <Pine.LNX.4.44.0308201423500.541-200000@rhea.tcs.hut.fi> (at Wed, 20 Aug 2003 14:40:14 +0300 (EEST)), Ville Nuorvala <vnuorval@tcs.hut.fi> says:

> --- linux-2.5.OLD/net/ipv6/ndisc.c	2003-08-20 14:10:16.000000000 +0300
> +++ linux-2.5/net/ipv6/ndisc.c	2003-08-20 14:10:30.000000000 +0300
> @@ -861,7 +861,8 @@
>  		struct inet6_dev *in6_dev = in6_dev_get(dev);
>  
>  		if (in6_dev && in6_dev->cnf.forwarding &&
> -		    (addr_type & IPV6_ADDR_UNICAST) &&
> +		    (addr_type & IPV6_ADDR_UNICAST ||
> +		     addr_type == IPV6_ADDR_ANY) &&
>  		    pneigh_lookup(&nd_tbl, &msg->target, dev, 0)) {
>  			int inc = ipv6_addr_type(daddr)&IPV6_ADDR_MULTICAST;
>  

I believe we don't need this chunk.

--ypshfuj 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: (usagi-core 15040) [PATCH] IPv6: Protect proxied addresses against DAD
  2003-08-20 11:43 ` (usagi-core 15040) " YOSHIFUJI Hideaki / 吉藤英明
@ 2003-08-20 12:58   ` Ville Nuorvala
  2003-08-20 13:39     ` YOSHIFUJI Hideaki / 吉藤英明
  0 siblings, 1 reply; 5+ messages in thread
From: Ville Nuorvala @ 2003-08-20 12:58 UTC (permalink / raw)
  To: YOSHIFUJI Hideaki / 吉藤英明
  Cc: davem, netdev, usagi-core

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1569 bytes --]

On Wed, 20 Aug 2003, YOSHIFUJI Hideaki / [iso-2022-jp] ^[$B5HF#1QL@^[(B wrote:

> In article <Pine.LNX.4.44.0308201423500.541-200000@rhea.tcs.hut.fi> (at Wed, 20 Aug 2003 14:40:14 +0300 (EEST)), Ville Nuorvala <vnuorval@tcs.hut.fi> says:
>
> > --- linux-2.5.OLD/net/ipv6/ndisc.c	2003-08-20 14:10:16.000000000 +0300
> > +++ linux-2.5/net/ipv6/ndisc.c	2003-08-20 14:10:30.000000000 +0300
> > @@ -861,7 +861,8 @@
> >  		struct inet6_dev *in6_dev = in6_dev_get(dev);
> >
> >  		if (in6_dev && in6_dev->cnf.forwarding &&
> > -		    (addr_type & IPV6_ADDR_UNICAST) &&
> > +		    (addr_type & IPV6_ADDR_UNICAST ||
> > +		     addr_type == IPV6_ADDR_ANY) &&
> >  		    pneigh_lookup(&nd_tbl, &msg->target, dev, 0)) {
> >  			int inc = ipv6_addr_type(daddr)&IPV6_ADDR_MULTICAST;
> >
>
> I believe we don't need this chunk.

No, it is needed. Normal neighbor solicitations are sent using a unicast
source address, but DAD probes are sent using the unspecified address as
source.

If the check for IPV6_ADDR_ANY isn't done right there, the proxy won't
handle the DAD probes, since it never enters the shown if block.

The new
if (addr_type & IPV6_ADDR_UNICAST) {
...
} else { <- addr_type == IPV6_ADDR_ANY
...
}
block inside it handles the different cases sending a unicast NA to a
normal NS and a multicast NA to a DAD.

I've updated the comment in my new patch to clarify this. Please use it
instead.

Regards,
Ville
--
Ville Nuorvala
Research Assistant, Institute of Digital Communications,
Helsinki University of Technology
email: vnuorval@tcs.hut.fi, phone: +358 (0)9 451 5257

[-- Attachment #2: Type: TEXT/PLAIN, Size: 1311 bytes --]

--- linux-2.5.OLD/net/ipv6/ndisc.c	2003-08-20 14:10:16.000000000 +0300
+++ linux-2.5/net/ipv6/ndisc.c	2003-08-20 15:39:39.000000000 +0300
@@ -861,7 +861,8 @@
 		struct inet6_dev *in6_dev = in6_dev_get(dev);
 
 		if (in6_dev && in6_dev->cnf.forwarding &&
-		    (addr_type & IPV6_ADDR_UNICAST) &&
+		    (addr_type & IPV6_ADDR_UNICAST ||
+		     addr_type == IPV6_ADDR_ANY) &&
 		    pneigh_lookup(&nd_tbl, &msg->target, dev, 0)) {
 			int inc = ipv6_addr_type(daddr)&IPV6_ADDR_MULTICAST;
 
@@ -874,12 +875,19 @@
 				else
 					nd_tbl.stats.rcv_probes_ucast++;
 					
-				neigh = neigh_event_ns(&nd_tbl, lladdr, saddr, dev);
+				if (addr_type & IPV6_ADDR_UNICAST) {
+					neigh = neigh_event_ns(&nd_tbl, lladdr, saddr, dev);
 
-				if (neigh) {
-					ndisc_send_na(dev, neigh, saddr, &msg->target,
-						      0, 1, 0, 1);
-					neigh_release(neigh);
+					if (neigh) {
+						ndisc_send_na(dev, neigh, saddr, &msg->target,
+							      0, 1, 0, 1);
+						neigh_release(neigh);
+					}
+				} else { /* addr_type == IPV6_ADDR_ANY, i.e. a DAD probe */ 
+					struct in6_addr maddr;
+					ipv6_addr_all_nodes(&maddr);
+					ndisc_send_na(dev, NULL, &maddr, &msg->target, 
+						      0, 0, 0, 1);
 				}
 			} else {
 				struct sk_buff *n = skb_clone(skb, GFP_ATOMIC);

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: (usagi-core 15040) [PATCH] IPv6: Protect proxied addresses against DAD
  2003-08-20 12:58   ` Ville Nuorvala
@ 2003-08-20 13:39     ` YOSHIFUJI Hideaki / 吉藤英明
  0 siblings, 0 replies; 5+ messages in thread
From: YOSHIFUJI Hideaki / 吉藤英明 @ 2003-08-20 13:39 UTC (permalink / raw)
  To: vnuorval; +Cc: davem, netdev, usagi-core

In article <Pine.LNX.4.44.0308201449550.756-200000@rhea.tcs.hut.fi> (at Wed, 20 Aug 2003 15:58:08 +0300 (EEST)), Ville Nuorvala <vnuorval@tcs.hut.fi> says:

> > >  		if (in6_dev && in6_dev->cnf.forwarding &&
> > > -		    (addr_type & IPV6_ADDR_UNICAST) &&
> > > +		    (addr_type & IPV6_ADDR_UNICAST ||
> > > +		     addr_type == IPV6_ADDR_ANY) &&
> > >  		    pneigh_lookup(&nd_tbl, &msg->target, dev, 0)) {
> > >  			int inc = ipv6_addr_type(daddr)&IPV6_ADDR_MULTICAST;
> > >
> >
> > I believe we don't need this chunk.
> 
> No, it is needed. Normal neighbor solicitations are sent using a unicast
> source address, but DAD probes are sent using the unspecified address as
> source.

Oops, sorry, I read it as it were "ANYCAST."
I agree.

-- 
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@linux-ipv6.org>
GPG FP: 9022 65EB 1ECF 3AD1 0BDF  80D8 4807 F894 E062 0EEA

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] IPv6: Protect proxied addresses against DAD
  2003-08-20 11:40 [PATCH] IPv6: Protect proxied addresses against DAD Ville Nuorvala
  2003-08-20 11:43 ` (usagi-core 15040) " YOSHIFUJI Hideaki / 吉藤英明
@ 2003-08-20 18:24 ` David S. Miller
  1 sibling, 0 replies; 5+ messages in thread
From: David S. Miller @ 2003-08-20 18:24 UTC (permalink / raw)
  To: Ville Nuorvala; +Cc: usagi-core, netdev

On Wed, 20 Aug 2003 14:40:14 +0300 (EEST)
Ville Nuorvala <vnuorval@tcs.hut.fi> wrote:

> a proxy has to reply to DAD probes, otherwise it can't protect its
> addresses. The attached patch fixes this, please apply!

Patch applied, thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2003-08-20 18:24 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-20 11:40 [PATCH] IPv6: Protect proxied addresses against DAD Ville Nuorvala
2003-08-20 11:43 ` (usagi-core 15040) " YOSHIFUJI Hideaki / 吉藤英明
2003-08-20 12:58   ` Ville Nuorvala
2003-08-20 13:39     ` YOSHIFUJI Hideaki / 吉藤英明
2003-08-20 18:24 ` David S. Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).