[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 00470) Re: IPv6: Incoming RA source-address may be non- link-local

To: <netdev@xxxxxxxxxxx>
Subject: (usagi-users 00470) Re: IPv6: Incoming RA source-address may be non- link-local
From: Pekka Savola <pekkas@xxxxxxxxxx>
Date: Thu, 3 May 2001 13:41:45 +0300 (EEST)
Cc: <usagi-users@xxxxxxxxxxxxxx>
In-reply-to: <Pine.LNX.4.33.0105021312080.28386-100000@netcore.fi>
Reply-to: usagi-users@xxxxxxxxxxxxxx

On Wed, 2 May 2001, Pekka Savola wrote:
> In net/ipv6/ndisc,  ndisc_router_discovery function, where IPv6 router
> advertisements are being processed, there is no check that RA is coming
> from link-local address.

The following patch (note! untested!) should do it.  Copied with small
modification to the printk from ndisc_redirect_rcv:

--- ndisc.c~	Mon Apr 30 12:12:44 2001
+++ ndisc.c	Thu May  3 13:32:37 2001
@@ -587,6 +587,11 @@
 		return;
 	}

+	if (!(ipv6_addr_type(&skb->nh.ipv6h->saddr) & IPV6_ADDR_LINKLOCAL)) {
+		printk(KERN_WARNING "ICMP RA: source address is not linklocal\n");
+		return;
+	}
+
 	/*
 	 *	set the RA_RECV flag in the interface
 	 */


>
> As far as I know, all implementions do use link-local addresses for
> sending advertisements.  RFC2461, 4.2 says:
>
> ---
> 4.2.  Router Advertisement Message Format
>
> [...]
> IP Fields:
>
>       Source Address
>                      MUST be the link-local address assigned to the
>                      interface from which this message is sent.
> [...]
> ---
>
>
> KAME does this:
> ---
> 	if (!IN6_IS_ADDR_LINKLOCAL(&saddr6)) {
>           	log(LOG_ERR,
> 	            "nd6_ra_input: src %s is not link-local\n",
>                     ip6_sprintf(&saddr6));
>            	goto freeit;
>         }
> ---
>
> As hop limit is verified to be 255, this could only be misused by on-link
> hosts.
>
> Note that there is in net/ipv6/route.c:
>
> ---
>                         /* IPv6 strictly inhibits using not link-local
>                            addresses as nexthop address.
>                            Otherwise, router will not able to send redirects.
>                            It is very good, but in some (rare!) curcumstances
>                            (SIT, PtP, NBMA NOARP links) it is handy to allow
>                            some exceptions. --ANK
>                          */
> ---
>
> I wonder what these circumstances are, exactly.  Sit tunnels usually do
> use global addressing, and next hop is non link-local (on KAME too), but
> that doesn't mean those wouldn't have link-local address at all.
>
> What do you think?
>
>

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords

Follow-Ups:
- (usagi-users 00475) Re: IPv6: Incoming RA source-address may be non- link-local
  - From: David S. Miller

References:
- (usagi-users 00462) IPv6: Incoming RA source-address may be non- link-local
  - From: Pekka Savola

Prev by Date: (usagi-users 00469) Re: IPv6: the same address can be added multiple times
Next by Date: (usagi-users 00471) IPv6: NS -> NA reply RFC2461 SHOULD considerations [patch]
Previous by thread: (usagi-users 00464) Re: IPv6: Incoming RA source-address may be non- link-local
Next by thread: (usagi-users 00475) Re: IPv6: Incoming RA source-address may be non- link-local
Index(es):
- Date
- Thread