From: Tom Herbert <tom@herbertland.com>
To: davem@davemloft.net, kuba@kernel.org, netdev@vger.kernel.org
Cc: Tom Herbert <tom@herbertland.com>
Subject: [PATCH net-next v2 3/4] ipv6: Set Hop-by-Hop options limit to 1
Date: Thu, 8 Jan 2026 09:14:55 -0800 [thread overview]
Message-ID: <20260108171456.47519-4-tom@herbertland.com> (raw)
In-Reply-To: <20260108171456.47519-1-tom@herbertland.com>
The Hop-by-Hop options limit was a default of 8 meaning that up to
eight Hop-by-Hop options would be received in packet before the limit
is exceeded and the packet is dropped. This limit is too high and
makes the node susceptible to DoS attack. Note it's not just the
options themselves, but a lot of padding can be used between options
(.e.g. up to seven PAD1 options). It's pretty easy for an attacker to
fabricate a packet with nothing but eight unknown option types and
padding between the options to force over a hundred conditionals to
be evaluated and at least eight cache misses per packet resulting
in no productive work being done.
The new limit is one. This is based on the fact that there are some
hop-by-hop option in deployment like router alert option, however they
tend to be singleton options and it's unlikely there is significant use
of more than one option in a packet. From a protocol perspective,
RFC9673 states:
"A Source MAY, based on local configuration, allow only one Hop-by-Hop
option to be included in a packet"
We can infer that implies that at most one Hop-by-Hop option is
sufficient.
It should be noted that Hop-by-Hops are unusable in the general
Internet hand packets with Hop-by-Hop Options are commonly dropped
by routers. The only realistic use case for Hop-by-Hop options is
limited dominas, and if a limited domain needs more than one HBH option
in a packet it's easy enough to configure the sysctl to whatever limit
they want.
Signed-off-by: Tom Herbert <tom@herbertland.com>
---
include/net/ipv6.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 723a254c0b90..62ed44894e96 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -91,7 +91,7 @@ struct ip_tunnel_info;
* Denial of Service attacks (see sysctl documention)
*/
#define IP6_DEFAULT_MAX_DST_OPTS_CNT 0
-#define IP6_DEFAULT_MAX_HBH_OPTS_CNT 8
+#define IP6_DEFAULT_MAX_HBH_OPTS_CNT 1
#define IP6_DEFAULT_MAX_DST_OPTS_LEN INT_MAX /* No limit */
#define IP6_DEFAULT_MAX_HBH_OPTS_LEN INT_MAX /* No limit */
--
2.43.0
next prev parent reply other threads:[~2026-01-08 17:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-08 17:14 [PATCH net-next v2 0/4] ipv6: Disable IPv6 Destination Options RX processing by default Tom Herbert
2026-01-08 17:14 ` [PATCH net-next v2 1/4] ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is Tom Herbert
2026-01-08 17:14 ` [PATCH net-next v2 2/4] ipv6: Disable IPv6 Destination Options RX processing by default Tom Herbert
2026-01-08 17:14 ` Tom Herbert [this message]
2026-01-08 17:14 ` [PATCH net-next v2 4/4] ipv6: Document defaults for max_{dst|hbh}_opts_number sysctls Tom Herbert
2026-01-09 19:50 ` [PATCH net-next v2 0/4] ipv6: Disable IPv6 Destination Options RX processing by default Jakub Kicinski
2026-01-13 19:54 ` Tom Herbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260108171456.47519-4-tom@herbertland.com \
--to=tom@herbertland.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox