Hi, Hangbin Liu wrote: > 2015-07-28 7:50 GMT+08:00 YOSHIFUJI Hideaki/吉藤英明 > <hideaki.yoshif...@miraclelinux.com>: >> Hi, >> >> Hangbin Liu wrote: >>> Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface") >>> disabled accept hop limit from RA if it is higher than the current hop >>> limit for security stuff. But this behavior kind of break the RFC >>> definition. >>> >>> RFC 4861, 6.3.4. Processing Received Router Advertisements >>> If the received Cur Hop Limit value is non-zero, the host SHOULD set >>> its CurHopLimit variable to the received value. >>> >>> So add sysctl option accept_ra_hop_limit to let user choose whether accept >>> hop limit info in RA. >>> >> >> How about introducing "minimum hop limit", instead? > > Hi Yoshifuji, > > This is a good idea. Maybe this can be another sysctl option? > > The minimum hop limit can be an enhancement of the security issue, then we > will > not only increase the hop limit, but also could decrease it in the > range of values we > accept. > > On the other hand, with this patch, we can enable, disable or partly > enable accept > hop limit. If we only use "minimum hop limit", people could not use a static > hop > limit value. > > May be we use a “hop limit range" instead? How do you think?
I think name of sysctl is the same as you suggested and change the semantics. default value is 0 to accept all hotlimit value as before and people can set it to 32 (for example) to reject too-small hoplimit (0-31). --yoshfuji > > Thanks > Hangbin > >> >> |commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a >> |Author: D.S. Ljungmark <ljungm...@modio.se> >> |Date: Wed Mar 25 09:28:15 2015 +0100 >> | >> | ipv6: Don't reduce hop limit for an interface >> : >> | RFC 3756, Section 4.2.7, "Parameter Spoofing" >> | >> : >> | > As an example, one possible approach to mitigate this threat is to >> | > ignore very small hop limits. The nodes could implement a >> | > configurable minimum hop limit, and ignore attempts to set it below >> | > said limit. -- Hideaki Yoshifuji <hideaki.yoshif...@miraclelinux.com> Technical Division, MIRACLE LINUX CORPORATION -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html