Re: IP_MINTTL and RFC5082 (TTL security, GTSM) support

Thu, 08 Sep 2011 17:48:47 -0700 

On Aug 18, 2011, at 03:32 , Alexander V. Chernikov wrote:

> Hello list!
> 
> FreeBSD supports IP_MINTTL since long ago (5.x ?). This is RFC3682-compatible 
> implementation.
> 
> It is very simple: if we can associate incoming packet with any socket, 
> socket is checked for minimum TTL value existence. If such value exists and 
> received packet TTL is lower, packet is dropped.
> 
> However, it is not enough for real security. ICMP messages are not checked 
> for minimum TTL (which is now required by RFC 5082  6.1.)
> 
> Icmp messages are passed via  .pr_ctlinput upper level protocol hook.
> Icmp code, originator address (sockaddr *) and part of problem datagramm 
> (received in icmp packet) are passed as arguments.
> 
> As a result, TTL of ICMP packet is not passed to upper layer proto and TTL 
> security cannot be enforced.
> 
> What can possibly be done:
> 
> * New hook .pr_ctlinput2 with additional argument pointing to original ICMP 
> header can be added. After that we convert all base code to use .pr_ctlinput2 
> and appropriate icmp_input() parts can be changed like this:
> 
> 
> ctlfunc2 = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput2;
> if (ctlfunc2)
>  (*ctlfunc2)(code, (struct sockaddr *)&icmpsrc,
>        (void *)&icp->icmp_ip, (void *)icp);
> else {
>  ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput;
>    if (ctlfunc)
>      (*ctlfunc)(code, (struct sockaddr *)&icmpsrc,
>          (void *)&icp->icmp_ip);
> 
> }
> 
> * .pr_ctlinput() can be altered (if it's not too late for 9.x) and some trick 
> like supplying TTL data directly after (struct sockaddr*) can be used as 8.x 
> MFC
> 
> 
> P.S. We should implement IP_MINTTL variant for IPv6. I can submit patches but 
> this seems to be reasonable only after we got some solution for ICMP security.
> 
> Linux people added compatible opt for IPv4 in 2.6.34:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d218d11133d888f9745802146a50255a4781d37a
> 
> .. and  IPV6_MINHOPCOUNT for IPv6 in 2.6.35:
> 
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e802af9cabb011f09b9c19a82faef3dd315f27eb
> 
> so we can consider using IPV6_MINHOPCOUNT as appropriate setsockopt name

Sounds good.  Do you have a patch already?  It seems like you might.

Best,
George


_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to