system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-09-29 16:00:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/net/ipv6
History
Hannes Frederic Sowa 218774dc34 ipv6: add anti-spoofing checks for 6to4 and 6rd 
This patch adds anti-spoofing checks in sit.c as specified in RFC3964
section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
checks which could easily be implemented with netfilter.

Specifically this patch adds following logic (based loosely on the
pseudocode in RFC3964 section 5.2):

if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default)
        and outer_src_v4 != embedded_ipv4 (inner_src_v6)
                drop
if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default)
        and outer_dst_v4 != embedded_ipv4 (inner_dst_v6)
                drop
accept

To accomplish the specified security checks proposed by above RFCs,
it is still necessary to employ uRPF filters with netfilter. These new
checks only kick in if the employed addresses are within the 2002::/16 or
another range specified by the 6rd-prefix (which defaults to 2002::/16).

Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-01-29 15:22:03 -05:00
..
netfilter net: frag, move LRU list maintenance outside of rwlock 2013-01-29 13:36:24 -05:00
addrconf.c ipv4: introduce address lifetime 2013-01-29 13:59:57 -05:00
addrconf_core.c
addrlabel.c net: Enable a userns root rtnl calls that are safe for unprivilged users 2012-11-18 20:33:36 -05:00
af_inet6.c ipv6: Use FIELD_SIZEOF() in inet6_init(). 2013-01-09 23:38:23 -08:00
ah6.c ipv6: use IS_ENABLED() 2012-11-01 12:41:35 -04:00
anycast.c ipv6: avoid taking locks at socket dismantle 2012-12-05 16:01:28 -05:00
datagram.c ipv6: Use ipv6_get_dsfield() instead of ipv6_tclass(). 2013-01-13 20:17:14 -05:00
esp6.c net: ipv6: fix error return code 2012-08-31 16:27:48 -04:00
exthdrs.c ipv6: Store Router Alert option in IP6CB directly. 2013-01-13 20:17:14 -05:00
exthdrs_core.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitch 2012-11-30 12:01:30 -05:00
exthdrs_offload.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
fib6_rules.c ipv6: introduce ip6_rt_put() 2012-11-03 14:59:05 -04:00
icmp.c net: Enable some sysctls that are safe for the userns root 2012-11-18 20:33:00 -05:00
inet6_connection_sock.c ipv6: Fix inet6_csk_bind_conflict so it builds with user namespaces enabled 2013-01-29 15:20:12 -05:00
inet6_hashtables.c soreuseport: TCP/IPv6 implementation 2013-01-23 13:44:01 -05:00
ip6_checksum.c ipv6: move csum_ipv6_magic() and udp6_csum_init() into static library 2013-01-08 17:56:10 -08:00
ip6_fib.c ipv6: add support of equal cost multipath (ECMP) 2012-10-23 02:38:32 -04:00
ip6_flowlabel.c net: Allow userns root to control ipv6 2012-11-18 20:32:45 -05:00
ip6_gre.c ipv6: Introduce ip6_flow_hdr() to fill version, tclass and flowlabel. 2013-01-13 20:17:13 -05:00
ip6_input.c ipv6: Store Router Alert option in IP6CB directly. 2013-01-13 20:17:14 -05:00
ip6_offload.c net: fix possible wrong checksum generation 2013-01-28 00:27:15 -05:00
ip6_offload.h ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
ip6_output.c ipv6: remove duplicated declaration of ip6_fragment() 2013-01-22 23:18:59 -05:00
ip6_tunnel.c ipv6: Introduce ip6_flow_hdr() to fill version, tclass and flowlabel. 2013-01-13 20:17:13 -05:00
ip6mr.c mcast: add multicast proxy support (IPv4 and IPv6) 2013-01-21 13:55:14 -05:00
ipcomp6.c ipv6: Add redirect support to all protocol icmp error handlers. 2012-07-12 00:25:15 -07:00
ipv6_sockglue.c net: Allow userns root to control ipv6 2012-11-18 20:32:45 -05:00
Kconfig gre: Support GRE over IPv6 2012-08-14 14:28:32 -07:00
Makefile ipv6: move csum_ipv6_magic() and udp6_csum_init() into static library 2013-01-08 17:56:10 -08:00
mcast.c ipv6: Unshare ip6_nd_hdr() and change return type to void. 2013-01-21 13:33:15 -05:00
mip6.c ipv6: mip6: fix mip6_mh_filter() 2012-09-25 16:04:44 -04:00
ndisc.c ndisc: Use compound literals to build redirect message. 2013-01-21 13:33:18 -05:00
netfilter.c netfilter: ipv6: expand skb head in ip6_route_me_harder after oif change 2012-08-30 03:00:15 +02:00
output_core.c ipv6: Update ipv6 static library with newly needed functions 2012-11-15 17:39:23 -05:00
proc.c net: ipv6: proc: Fix error handling 2012-08-14 14:45:07 -07:00
protocol.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
raw.c ipv6: use IS_ENABLED() 2012-11-01 12:41:35 -04:00
reassembly.c net: frag, move LRU list maintenance outside of rwlock 2013-01-29 13:36:24 -05:00
route.c ndisc: Do not try to update "updated" time if neighbour has already gone. 2013-01-21 15:41:41 -05:00
sit.c ipv6: add anti-spoofing checks for 6to4 and 6rd 2013-01-29 15:22:03 -05:00
syncookies.c tcp: make sysctl_tcp_ecn namespace aware 2013-01-06 21:09:56 -08:00
sysctl_net_ipv6.c net: Enable some sysctls that are safe for the userns root 2012-11-18 20:33:00 -05:00
tcp_ipv6.c soreuseport: TCP/IPv6 implementation 2013-01-23 13:44:01 -05:00
tcpv6_offload.c net: Remove code duplication between offload structures 2012-11-15 17:39:51 -05:00
tunnel6.c
udp.c soreuseport: UDP/IPv6 implementation 2013-01-23 13:44:01 -05:00
udp_impl.h
udp_offload.c ipv6: Fix build error with udp_offload 2012-11-15 22:48:32 -05:00
udplite.c
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c ipv6: Complete neighbour entry removal from dst_entry. 2013-01-17 18:38:19 -05:00
xfrm6_state.c ipv6: use IS_ENABLED() 2012-11-01 12:41:35 -04:00
xfrm6_tunnel.c ipv6 xfrm: Use ipv6_addr_hash() in xfrm6_tunnel_spi_hash_byaddr(). 2013-01-13 20:17:14 -05:00