IPv6 equivalent of secure_redirects

Thu, 16 Jun 2022 07:47:35 -0700 

Hi All,
      In IPv4, while validating received ICMPv4 redirects, we use
secure_redirects.

When set to 1, the destination router suggested in the redirect message
should be one of the default gateways known to the host.

net.ipv4.conf.all.secure_redirects = 1

*Is there an equivalent one for IPv6? I couldn't find one. *

Also, *is there a check if the source from which the ICMP redirect is sent
is known to us or not.*

I came across the function isatap_chksrc code in net/ipv6/sit.c file. The
following lines of code do they ensure that the source is known to the host
that received the redirect, or is it part of tunneling code.

if (p) {
                if (p->flags & PRL_DEFAULT
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/PRL_DEFAULT>)
                        skb->ndisc_nodetype
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> =
NDISC_NODETYPE_DEFAULT
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_DEFAULT>;
                else
                        skb->ndisc_nodetype
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> =
NDISC_NODETYPE_NODEFAULT
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_NODEFAULT>;
        } else {
                const struct in6_addr
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/in6_addr> *addr6
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6> = &ipv6_hdr
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_hdr>(skb)->saddr
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr>;

                if (ipv6_addr_is_isatap
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_addr_is_isatap>(addr6
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>) &&
                    (addr6 
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>->s6_addr32
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/s6_addr32>[3] ==
iph <https://elixir.bootlin.com/linux/v5.10.122/C/ident/iph>->saddr
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr>) &&
                    ipv6_chk_prefix
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_chk_prefix>(addr6
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>, t->dev))
                        skb->ndisc_nodetype
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> =
NDISC_NODETYPE_HOST
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_HOST>;
                else
                        ok 
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/ok> = 0;
        }

Dheeraj

Reply via email to