[PATCH net-next v2 2/4] ipv6: Disable IPv6 Destination Options RX processing by default

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Tom Herbert <tom@herbertland.com>
To: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org
Cc: Tom Herbert <tom@herbertland.com>
Subject: [PATCH net-next v2 2/4] ipv6: Disable IPv6 Destination Options RX processing by default
Date: Thu,  8 Jan 2026 09:14:54 -0800	[thread overview]
Message-ID: <20260108171456.47519-3-tom@herbertland.com> (raw)
In-Reply-To: <20260108171456.47519-1-tom@herbertland.com>

Set IP6_DEFAULT_MAX_DST_OPTS_CNT to zero. This disables
processing of Destinations Options extension headers by default.
Processing can be enabled by setting the net.ipv6.max_dst_opts_number
to a non-zero value.

The rationale for this is that Destination Options pose a serious risk
of Denial off Service attack. The problem is that even if the
default limit is set to a small number (previously it was eight) there
is still the possibility of a DoS attack. All an attacker needs to do
is create and MTU size packet filled  with 8 bytes Destination Options
Extension Headers. Each Destination EH simply contains a single
padding option with six bytes of zeroes.

In a 1500 byte MTU size packet, 182 of these dummy Destination
Options headers can be placed in a packet. Per RFC8200, a host must
accept and process a packet with any number of Destination Options
extension headers. So when the stack processes such a packet it is
a lot of work and CPU cycles that provide zero benefit. The packet
can be designed such that every byte after the IP header requires
a conditional check and branch prediction can be rendered useless
for that. This also may mean over twenty cache misses per packet.
In other words, these packets filled with dummy Destination Options
extension headers are the basis for what would be an effective DoS
attack.

Disabling Destination Options is not a major issue for the following
reasons:

* Linux kernel only supports one Destination Option (Home Address
  Option). There is no evidence this has seen any real world use
* On the Internet packets with Destination Options are dropped with
  a high enough rate such that use of Destination Options is not
  feasible
* It is unknown however quite possible that no one anywhere is using
  Destination Options for anything but experiments, class projects,
  or DoS. If someone is using them in their private network then
  it's easy enough to configure a non-zero limit for their use case

Signed-off-by: Tom Herbert <tom@herbertland.com>
---
 include/net/ipv6.h | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 74fbf1ad8065..723a254c0b90 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -86,8 +86,11 @@ struct ip_tunnel_info;
  * silently discarded.
  */

-/* Default limits for Hop-by-Hop and Destination options */
-#define IP6_DEFAULT_MAX_DST_OPTS_CNT	 8
+/* Default limits for Hop-by-Hop and Destination options. By default
+ * packets received with Destination Options headers are dropped to thwart
+ * Denial of Service attacks (see sysctl documention)
+ */
+#define IP6_DEFAULT_MAX_DST_OPTS_CNT	 0
 #define IP6_DEFAULT_MAX_HBH_OPTS_CNT	 8
 #define IP6_DEFAULT_MAX_DST_OPTS_LEN	 INT_MAX /* No limit */
 #define IP6_DEFAULT_MAX_HBH_OPTS_LEN	 INT_MAX /* No limit */
-- 
2.43.0

next prev parent reply	other threads:[~2026-01-08 17:15 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-08 17:14 [PATCH net-next v2 0/4] ipv6: Disable IPv6 Destination Options RX processing by default Tom Herbert
2026-01-08 17:14 ` [PATCH net-next v2 1/4] ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is Tom Herbert
2026-01-08 17:14 ` Tom Herbert [this message]
2026-01-08 17:14 ` [PATCH net-next v2 3/4] ipv6: Set Hop-by-Hop options limit to 1 Tom Herbert
2026-01-08 17:14 ` [PATCH net-next v2 4/4] ipv6: Document defaults for max_{dst|hbh}_opts_number sysctls Tom Herbert
2026-01-09 19:50 ` [PATCH net-next v2 0/4] ipv6: Disable IPv6 Destination Options RX processing by default Jakub Kicinski
2026-01-13 19:54   ` Tom Herbert

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:74fbf1ad806 dfblob:723a254c0b9 )
 OR (
bs:"[PATCH net-next v2 2/4] ipv6: Disable IPv6 Destination Options RX processing by default" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260108171456.47519-3-tom@herbertland.com \
    --to=tom@herbertland.com \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox