Hi All,
In IPv4, while validating received ICMPv4 redirects, we use secure_redirects.
When set to 1, the destination router suggested in the redirect message
should be one of the default gateways known to the host.
net.ipv4.conf.all.secure_redirects = 1
*Is there an equivalent one for IPv6? I couldn't find one. *
Also, *is there a check if the source from which the ICMP redirect is sent
is known to us or not.*
I came across the function isatap_chksrc code in net/ipv6/sit.c file. The following lines of code do they ensure that the source is known to the host that received the redirect, or is it part of tunneling code.
if (p) {
if (p->flags & PRL_DEFAULT <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/PRL_DEFAULT>)
skb->ndisc_nodetype <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> = NDISC_NODETYPE_DEFAULT <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_DEFAULT>;
else
skb->ndisc_nodetype <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> = NDISC_NODETYPE_NODEFAULT <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_NODEFAULT>;
} else {
const struct in6_addr <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/in6_addr> *addr6 <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6> = &ipv6_hdr <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_hdr>(skb)->saddr <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr>;
if (ipv6_addr_is_isatap <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_addr_is_isatap>(addr6 <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>) &&
(addr6 <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>->s6_addr32
<
https://elixir.bootlin.com/linux/v5.10.122/C/ident/s6_addr32>[3] ==
iph <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/iph>->saddr <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr>) &&
ipv6_chk_prefix <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_chk_prefix>(addr6 <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>, t->dev))
skb->ndisc_nodetype <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> = NDISC_NODETYPE_HOST <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_HOST>;
else
ok <
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ok> = 0;
}
Dheeraj
<div dir="ltr"><div>Hi All,</div><div> In IPv4, while validating received ICMPv4 redirects, we use secure_redirects. <br></div><div><br></div><div>When set to 1, the destination router suggested in the redirect message should be one of the
default gateways known to the host.</div><div><br></div><div>net.ipv4.conf.all.secure_redirects = 1</div><div><br></div><div><b>Is there an equivalent one for IPv6? I couldn't find one. </b><br></div><div><br></div><div>Also, <b>is there a check if
the source from which the ICMP redirect is sent is known to us or not.</b><br></div><div><br></div><div>I came across the function<span class="gmail-nf"> isatap_chksrc</span><span class="gmail-p"></span> code in net/ipv6/sit.c file. The following lines
of code do they ensure that the source is known to the host that received the redirect, or is it part of tunneling code.</div><div><br></div><div><pre><span class="gmail-k">if</span> <span class="gmail-p">(</span><span class="gmail-n">p</span><span class=
"gmail-p">)</span> <span class="gmail-p">{</span>
<span class="gmail-k">if</span> <span class="gmail-p">(</span><span class="gmail-n">p</span><span class="gmail-o">-></span><span class="gmail-n">flags</span> <span class="gmail-o">&</span> <span class="gmail-n"><a href="
https://elixir.bootlin.
com/linux/v5.10.122/C/ident/PRL_DEFAULT">PRL_DEFAULT</a></span><span class="gmail-p">)</span>
<span class="gmail-n">skb</span><span class="gmail-o">-></span><span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype">ndisc_nodetype</a></span> <span class="gmail-o">=</span> <span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_DEFAULT">NDISC_NODETYPE_DEFAULT</a></span><span class="gmail-p">;</span>
<span class="gmail-k">else</span>
<span class="gmail-n">skb</span><span class="gmail-o">-></span><span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype">ndisc_nodetype</a></span> <span class="gmail-o">=</span> <span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_NODEFAULT">NDISC_NODETYPE_NODEFAULT</a></span><span class="gmail-p">;</span>
<span class="gmail-p">}</span> <span class="gmail-k">else</span> <span class="gmail-p">{</span>
<span class="gmail-k">const</span> <span class="gmail-k">struct</span> <span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/in6_addr">in6_addr</a></span> <span class="gmail-o">*</span><span class="gmail-n"><a href="
https://
elixir.bootlin.com/linux/v5.10.122/C/ident/addr6">addr6</a></span> <span class="gmail-o">=</span> <span class="gmail-o">&</span><span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_hdr">ipv6_hdr</a></span><span class=
"gmail-p">(</span><span class="gmail-n">skb</span><span class="gmail-p">)</span><span class="gmail-o">-></span><span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr">saddr</a></span><span class="gmail-p">;</span>
<span class="gmail-k">if</span> <span class="gmail-p">(</span><span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_addr_is_isatap">ipv6_addr_is_isatap</a></span><span class="gmail-p">(</span><span class="gmail-n"><a
href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6">addr6</a></span><span class="gmail-p">)</span> <span class="gmail-o">&&</span>
<span class="gmail-p">(</span><span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6">addr6</a></span><span class="gmail-o">-></span><span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/
ident/s6_addr32">s6_addr32</a></span><span class="gmail-p">[</span><span class="gmail-mi">3</span><span class="gmail-p">]</span> <span class="gmail-o">==</span> <span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/iph">iph</a>
</span><span class="gmail-o">-></span><span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr">saddr</a></span><span class="gmail-p">)</span> <span class="gmail-o">&&</span>
<span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_chk_prefix">ipv6_chk_prefix</a></span><span class="gmail-p">(</span><span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6">
addr6</a></span><span class="gmail-p">,</span> <span class="gmail-n">t</span><span class="gmail-o">-></span><span class="gmail-n">dev</span><span class="gmail-p">))</span>
<span class="gmail-n">skb</span><span class="gmail-o">-></span><span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype">ndisc_nodetype</a></span> <span class="gmail-o">=</span> <span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_HOST">NDISC_NODETYPE_HOST</a></span><span class="gmail-p">;</span>
<span class="gmail-k">else</span>
<span class="gmail-n"><a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/ok">ok</a></span> <span class="gmail-o">=</span> <span class="gmail-mi">0</span><span class="gmail-p">;</span>
<span class="gmail-p">}<br><br></span></pre></div><div>Dheeraj<br></div><div><br></div></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)