Date: Thu, 8 Sep 2011 20:25:10 -0400 From: George Neville-Neil <gnn@neville-neil.com> To: Alexander V. Chernikov <melifaro@ipfw.ru> Cc: "net@freebsd.org" <net@freebsd.org> Subject: Re: IP_MINTTL and RFC5082 (TTL security, GTSM) support Message-ID: <62A4AFEC-0178-4066-9321-9656281496DE@neville-neil.com> In-Reply-To: <4E4CC02A.7090104@ipfw.ru> References: <4E4CC02A.7090104@ipfw.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 18, 2011, at 03:32 , Alexander V. Chernikov wrote:
> Hello list!
>=20
> FreeBSD supports IP_MINTTL since long ago (5.x ?). This is =
RFC3682-compatible implementation.
>=20
> It is very simple: if we can associate incoming packet with any =
socket, socket is checked for minimum TTL value existence. If such value =
exists and received packet TTL is lower, packet is dropped.
>=20
> However, it is not enough for real security. ICMP messages are not =
checked for minimum TTL (which is now required by RFC 5082 6.1.)
>=20
> Icmp messages are passed via .pr_ctlinput upper level protocol hook.
> Icmp code, originator address (sockaddr *) and part of problem =
datagramm (received in icmp packet) are passed as arguments.
>=20
> As a result, TTL of ICMP packet is not passed to upper layer proto and =
TTL security cannot be enforced.
>=20
> What can possibly be done:
>=20
> * New hook .pr_ctlinput2 with additional argument pointing to original =
ICMP header can be added. After that we convert all base code to use =
.pr_ctlinput2 and appropriate icmp_input() parts can be changed like =
this:
>=20
>=20
> ctlfunc2 =3D inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput2;
> if (ctlfunc2)
> (*ctlfunc2)(code, (struct sockaddr *)&icmpsrc,
> (void *)&icp->icmp_ip, (void *)icp);
> else {
> ctlfunc =3D inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput;
> if (ctlfunc)
> (*ctlfunc)(code, (struct sockaddr *)&icmpsrc,
> (void *)&icp->icmp_ip);
>=20
> }
>=20
> * .pr_ctlinput() can be altered (if it's not too late for 9.x) and =
some trick like supplying TTL data directly after (struct sockaddr*) can =
be used as 8.x MFC
>=20
>=20
> P.S. We should implement IP_MINTTL variant for IPv6. I can submit =
patches but this seems to be reasonable only after we got some solution =
for ICMP security.
>=20
> Linux people added compatible opt for IPv4 in 2.6.34:
> =
http://git.kernel.org/?p=3Dlinux/kernel/git/torvalds/linux-2.6.git;a=3Dcom=
mitdiff;h=3Dd218d11133d888f9745802146a50255a4781d37a
>=20
> .. and IPV6_MINHOPCOUNT for IPv6 in 2.6.35:
>=20
> =
http://git.kernel.org/?p=3Dlinux/kernel/git/torvalds/linux-2.6.git;a=3Dcom=
mitdiff;h=3De802af9cabb011f09b9c19a82faef3dd315f27eb
>=20
> so we can consider using IPV6_MINHOPCOUNT as appropriate setsockopt =
name
Sounds good. Do you have a patch already? It seems like you might.
Best,
George
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?62A4AFEC-0178-4066-9321-9656281496DE>