[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 00752) Re: source routing honored by hosts?
- To: "YOSHIFUJI Hideaki / ?$B5HF#1QL@?(B" <yoshfuji@xxxxxxxxxxxxxx>
- Subject: (usagi-users 00752) Re: source routing honored by hosts?
- From: Andi Kleen <ak@xxxxxx>
- Date: Sat, 1 Sep 2001 14:29:23 +0200
- Cc: ak@xxxxxx, dlstevens@xxxxxxxxxx, netdev@xxxxxxxxxxx, usagi-users@xxxxxxxxxxxxxx
- In-reply-to: <20010901195708V.yoshfuji@linux-ipv6.org>; from yoshfuji@linux-ipv6.org on Sat, Sep 01, 2001 at 12:57:08PM +0200
- List-subscribe: <mailto:usagi-users-ctl@linux-ipv6.org?body=subscribe>
- References: <OF4584EB28.376150E0-ON88256AB9.007DDA19@boulder.ibm.com> <20010901122229.64064@colin.muc.de> <20010901195708V.yoshfuji@linux-ipv6.org>
- Reply-to: usagi-users@xxxxxxxxxxxxxx
- Sender: andi@xxxxxxxxxxx
On Sat, Sep 01, 2001 at 12:57:08PM +0200, YOSHIFUJI Hideaki / ?$B5HF#1QL@?(B wrote:
> In article <20010901122229.64064@xxxxxxxxxxxx> (at Sat, 1 Sep 2001 12:22:29 +0200), Andi Kleen <ak@xxxxxx> says:
>
> > On Sat, Sep 01, 2001 at 01:14:11AM +0200, David Stevens wrote:
> > > ip6_forward() has the following two lines:
> > >
> > > if (ipv6_devconf.forwarding == 0 && opt->srcrt == 0)
> > > goto error;
> > >
> > > Aside from the other issue of per-interface forwarding :-), this appears to allow
> > > forwarding of source-routed packets even when the node is a host, only. That
> > > seems to be a security hole to me. Suppose you have a multihomed host, or
>
> > > if (ipv6_devconf.forwarding == 0)
> > > goto error;
> >
> > Definitely.
>
> NO. In IPv6, even a node is not a router (i.e. it is a host),
> it MUST forward source routed packet. So,
I would still agree with David that it is a security hole (at least without
a working ipsec infrastructure)
Even if the Spec says otherwise this hole should be closed.
-Andi