Traceroute and "ping" sockets: some questions

Traceroute and "ping" sockets: some questions

[Dmitry Butskoy]

Hi

I've released new version of the Linux traceroute 2.0.18, which supports 
new (SOCK_DGRAM, IPPROTO_ICMP) sockets, appeared in the kernel 3.0 . 
This way users might perform icmp tracerouting (`-I') without setuid bit 
or cap_net_raw settings of the executable.
(See it at 
http://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.0.18/)

I would like to ask some questions:

- Currently such "ping" sockets implemented for IPv4 only. Are there any 
plans to implement it for IPv6 as well?

The traceroute-2.0.18 is ready for IPv6 anyway -- just wait for 
appearing it in the kernel without recompile (I hope :) ) -- but I would 
prefer to test it as soon as possible.

- Are there any plans to implement some "rate control" (maybe 
sysctl-configurable too), to restrict unprivileged users to send icmp 
echoes too fast (ie. faster than 200 ms -- the current ping(8) restriction)?


Regards,
Dmitry Butskoy
http://www.fedoraproject.org/wiki/DmitryButskoy

Re: Traceroute and "ping" sockets: some questions

[David Miller]

From: Dmitry Butskoy <buc@odusz.so-cdu.ru>
Date: Fri, 19 Aug 2011 15:19:16 +0400

> I would like to ask some questions:
> 
> - Currently such "ping" sockets implemented for IPv4 only. Are there any
> - plans to implement it for IPv6 as well?

I think the original authors of the kernel component said they would
work on this, but it hasn't materialized yet.

> - Are there any plans to implement some "rate control" (maybe
> - sysctl-configurable too), to restrict unprivileged users to send icmp
> - echoes too fast (ie. faster than 200 ms -- the current ping(8)
> - restriction)?

Why limit?  He can spam with UDP socket just as easily at any rate
he pleases, and rate limiting is policy issue and there relegated
to netfilter and/or the packet scheduler layer.

Re: Traceroute and "ping" sockets: some questions

[Dmitry Butskoy]

David Miller wrote:
>> - Are there any plans to implement some "rate control" (maybe
>> - sysctl-configurable too), to restrict unprivileged users to send icmp
>> - echoes too fast (ie. faster than 200 ms -- the current ping(8)
>> - restriction)?
>>      
> Why limit?  He can spam with UDP socket just as easily at any rate
> he pleases,
>    
Yes, but most cases such UDP is "one-way" spam (until services like 
"echo 7/udp" are enabled).
For icmp ping, we normally receive icmp replies, hence it is 
bidirectional crap. Which was not present before.

Besides that ping(8) is normally present in the system even if C 
development is not installed (ie. user cannot build its spam software at 
the host etc...)

Regards,
Dmitry
http://www.fedoraproject.org/wiki/DmitryButskoy

Re: Traceroute and "ping" sockets: some questions

[Dmitry Butskoy]

David Miller wrote:
>>> Why limit?  He can spam with UDP socket just as easily at any rate
>>> he pleases,
>>>        
>> Yes, but most cases such UDP is "one-way" spam (until services like
>> "echo 7/udp" are enabled).
>> For icmp echo, we normally receive icmp replies, hence it is
>> bidirectional crap. Which was not present before.
>>      
> Well, replace UDP with TCP syn flood.
>    

Well.

Why then there is "net/ipv4/ping_group_range" restrictions, with default 
values (low=1, high=0) which denies this way even for root?


Regards,
Dmitry

Re: Traceroute and "ping" sockets: some questions

[David Miller]

From: Dmitry Butskoy <buc@odusz.so-cdu.ru>
Date: Fri, 19 Aug 2011 17:56:26 +0400

> Why then there is "net/ipv4/ping_group_range" restrictions, with
> default values (low=1, high=0) which denies this way even for root?

While we shake out the bugs and better understand the security
implications of this feature.  One this is resolved we can deprecate
this.