[PATCH net-next v3 0/7] ipv6: Address ext hdr DoS vulnerabilities

[Tom Herbert <tom@herbertland.com>]

IPv6 extension headers are defined to be quite open ended with few
limits. For instance, RFC8200 requires a receiver to process any
number of extension headers in a packet in any order. This flexiblity
comes at the cost of a potential Denial of Service attack. The only
thing that might mitigate the DoS attacks is the fact that packets
with extension headers experience high drop rates on the Internet so
that a DoS attack based on extension wouldn't be very effective at
Internet scale.

This patch set addresses some of the more egregious vulnerabilities
of extension headers to DoS attack. 

- If sysctl.max_dst_opts_cnt or hbh_opts_cnt are set to 0 then that
  disallows packets with Destination Options or Hop-by-Hop Options even
  if the packet contain zero non-padding options

- Add a case for IPV6_TLV_TNL_ENCAP_LIMIT in the switch on TLV type
  in ip6_parse_tlv function. This TLV is handled in tunnel processing,
  however it needs to be detected in ip6_parse_tlv to properly account
  for it as recognized non-padding option

- Move IPV6_TLV_TNL_ENCAP_LIMIT to uapi/linux/in6.h so that all the
  TLV definitions are in one place

- Set the default limits of non-padding Hop-by-Hop and Destination
  options to 2. This means that if a packet contains more then two
  non-padding options then it will be dropped. The previous limit
  was 8, but that was too liberal considering that the stack only
  support two Destination Options and the most Hop-by-Hop options
  likely to ever be in the same packet are IOAM and JUMBO. The limit
  can be increased via sysctl for private use and experimentation

- Enforce RFC8200 recommended ordering of Extension Headers. This
  also enforces that any Extension Header occurs at most once
  in a packet (Destination Options before the Routing Header is
  considered deprecated, so Destination Options may only appear once).
  The enforce_ext_hdr_order sysctl controls enforcement. If it's set
  to true then order is enforced, if it's set to false then neither
  order nor number of occurrences are enforced.

  The enforced ordering is:

    IPv6 header
    Hop-by-Hop Options header
    Routing header
    Fragment header
    Authentication header
    Encapsulating Security Payload header
    Destination Options header
    Upper-Layer header

Tom Herbert (7):
  ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is
  ipv6: Add case for IPV6_TLV_TNL_ENCAP_LIMIT in EH TLV switch
  ipv6: Cleanup IPv6 TLV definitions
  ipv6: Set HBH and DestOpt limits to 2
  ipv6: Document defaults for max_{dst|hbh}_opts_number sysctls
  ipv6: Enforce Extension Header ordering
  ipv6: Document enforce_ext_hdr_order sysctl

Tom Herbert (7):
  ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is
  ipv6: Add case for IPV6_TLV_TNL_ENCAP_LIMIT in EH TLV switch
  ipv6: Cleanup IPv6 TLV definitions
  ipv6: Set HBH and DestOpt limits to 2
  ipv6: Document defaults for max_{dst|hbh}_opts_number sysctls
  ipv6: Enforce Extension Header ordering
  ipv6: Document enforce_ext_hdr_order sysctl

 Documentation/networking/ip-sysctl.rst | 53 +++++++++++++++++++++-----
 include/net/ipv6.h                     |  9 +++--
 include/net/netns/ipv6.h               |  1 +
 include/net/protocol.h                 | 16 ++++++++
 include/uapi/linux/in6.h               | 21 ++++++----
 include/uapi/linux/ip6_tunnel.h        |  1 -
 net/ipv6/af_inet6.c                    |  1 +
 net/ipv6/exthdrs.c                     | 20 ++++++++--
 net/ipv6/ip6_input.c                   | 14 +++++++
 net/ipv6/reassembly.c                  |  1 +
 net/ipv6/sysctl_net_ipv6.c             |  7 ++++
 net/ipv6/xfrm6_protocol.c              |  2 +
 12 files changed, 123 insertions(+), 23 deletions(-)

-- 
2.43.0