From: David Miller <davem@davemloft.net>
To: sd@queasysnail.net
Cc: netdev@vger.kernel.org, liuhangbin@gmail.com,
hideaki.yoshifuji@miraclelinux.com
Subject: Re: [PATCH net-next] Revert "net/ipv6: add sysctl option accept_ra_min_hop_limit"
Date: Wed, 02 Sep 2015 16:11:10 -0700 (PDT) [thread overview]
Message-ID: <20150902.161110.223512323094619164.davem@davemloft.net> (raw)
In-Reply-To: <20150902094301.GA6434@via.ecp.fr>
From: Sabrina Dubroca <sd@queasysnail.net>
Date: Wed, 2 Sep 2015 11:43:01 +0200
> This reverts commit 8013d1d7eafb0589ca766db6b74026f76b7f5cb4.
>
> There are several issues with this patch.
> It completely cancels the security changes introduced by 6fd99094de2b
> ("ipv6: Don't reduce hop limit for an interface").
> The current default value (min hop limit = 1) can result in the same
> denial of service that 6fd99094de2b prevents, but it is hard to define
> a correct and sane default value.
> More generally, it is yet another IPv6 sysctl, and we already have too
> many.
>
> This was introduced to satisfy a TAHI test case which, in my opinion, is
> too strict, turning the RFC's "SHOULD" into a "MUST":
>
> If the received Cur Hop Limit value is non-zero, the host
> SHOULD set its CurHopLimit variable to the received value.
>
> The behavior of this sysctl is wrong in multiple ways. Some are
> fixable, but let's not rush this commit into mainline, and revert this
> while we still can, then we can come up with a better solution.
>
> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
I don't agree with this revert.
If you look at the original commit, the quoted RFC recommends adding
a configurable method to protect against this.
And that's exactly what the commit you are trying to revert is doing.
The only thing I would entertain is potentially an adjustment of the
default, working in concert with the TAHI folks to make sure their
tests still pass with any new default.
Thanks.
next prev parent reply other threads:[~2015-09-02 23:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-02 9:43 [PATCH net-next] Revert "net/ipv6: add sysctl option accept_ra_min_hop_limit" Sabrina Dubroca
2015-09-02 23:11 ` David Miller [this message]
2015-09-03 8:39 ` Florian Westphal
2015-09-09 10:10 ` Sabrina Dubroca
2015-09-10 2:54 ` Hangbin Liu
2015-09-10 9:19 ` Sabrina Dubroca
2015-09-11 1:29 ` Hangbin Liu
2015-09-10 5:52 ` YOSHIFUJI Hideaki
2015-09-10 9:40 ` Sabrina Dubroca
2015-09-11 3:08 ` YOSHIFUJI Hideaki
2015-09-11 10:53 ` Florian Westphal
2015-09-11 11:09 ` D.S. Ljungmark
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150902.161110.223512323094619164.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=hideaki.yoshifuji@miraclelinux.com \
--cc=liuhangbin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).