Hangbin Liu wrote: > 2015-07-28 11:58 GMT+08:00 YOSHIFUJI Hideaki > <hideaki.yoshif...@miraclelinux.com>: >> Hi, >> >> Hangbin Liu wrote: >>> 2015-07-28 7:50 GMT+08:00 YOSHIFUJI Hideaki/吉藤英明 >>> <hideaki.yoshif...@miraclelinux.com>: >>>> Hi, >>>> >>>> Hangbin Liu wrote: >>>>> Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface") >>>>> disabled accept hop limit from RA if it is higher than the current hop >>>>> limit for security stuff. But this behavior kind of break the RFC >>>>> definition. >>>>> >>>>> RFC 4861, 6.3.4. Processing Received Router Advertisements >>>>> If the received Cur Hop Limit value is non-zero, the host SHOULD set >>>>> its CurHopLimit variable to the received value. >>>>> >>>>> So add sysctl option accept_ra_hop_limit to let user choose whether accept >>>>> hop limit info in RA. >>>>> >>>> >>>> How about introducing "minimum hop limit", instead? >>> >>> Hi Yoshifuji, >>> >>> This is a good idea. Maybe this can be another sysctl option? >>> >>> The minimum hop limit can be an enhancement of the security issue, then we >>> will >>> not only increase the hop limit, but also could decrease it in the >>> range of values we >>> accept. >>> >>> On the other hand, with this patch, we can enable, disable or partly >>> enable accept >>> hop limit. If we only use "minimum hop limit", people could not use a >>> static hop >>> limit value. >>> >>> May be we use a “hop limit range" instead? How do you think? >> >> I think name of sysctl is the same as you suggested and change the >> semantics. default value is 0 to accept all hotlimit value >> as before and people can set it to 32 (for example) to reject >> too-small hoplimit (0-31). > > OK, then I will try submit a "minimum hop limit", thanks for your suggestion > :)
accept_ra_min_hop_limit would be better as we have accept_ra_rt_info_max_plen. > > Regards > Hangbin >> >> --yoshfuji >> >>> >>> Thanks >>> Hangbin >>> >>>> >>>> |commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a >>>> |Author: D.S. Ljungmark <ljungm...@modio.se> >>>> |Date: Wed Mar 25 09:28:15 2015 +0100 >>>> | >>>> | ipv6: Don't reduce hop limit for an interface >>>> : >>>> | RFC 3756, Section 4.2.7, "Parameter Spoofing" >>>> | >>>> : >>>> | > As an example, one possible approach to mitigate this threat is to >>>> | > ignore very small hop limits. The nodes could implement a >>>> | > configurable minimum hop limit, and ignore attempts to set it >>>> below >>>> | > said limit. >> >> -- >> Hideaki Yoshifuji <hideaki.yoshif...@miraclelinux.com> >> Technical Division, MIRACLE LINUX CORPORATION -- Hideaki Yoshifuji <hideaki.yoshif...@miraclelinux.com> Technical Division, MIRACLE LINUX CORPORATION -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html