From owner-freebsd-net@FreeBSD.ORG Thu Aug 18 07:33:05 2011 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6216F106564A for ; Thu, 18 Aug 2011 07:33:05 +0000 (UTC) (envelope-from melifaro@ipfw.ru) Received: from mail.ipfw.ru (unknown [IPv6:2a01:4f8:120:6141::2]) by mx1.freebsd.org (Postfix) with ESMTP id 2AAF58FC0C for ; Thu, 18 Aug 2011 07:33:04 +0000 (UTC) Received: from dhcp170-36-red.yandex.net ([95.108.170.36]) by mail.ipfw.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qtx67-000Nqe-EU for net@freebsd.org; Thu, 18 Aug 2011 11:33:03 +0400 Message-ID: <4E4CC02A.7090104@ipfw.ru> Date: Thu, 18 Aug 2011 11:32:58 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.16) Gecko/20110120 Thunderbird/3.0.11 MIME-Version: 1.0 To: "net@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: IP_MINTTL and RFC5082 (TTL security, GTSM) support X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Aug 2011 07:33:05 -0000 Hello list! FreeBSD supports IP_MINTTL since long ago (5.x ?). This is RFC3682-compatible implementation. It is very simple: if we can associate incoming packet with any socket, socket is checked for minimum TTL value existence. If such value exists and received packet TTL is lower, packet is dropped. However, it is not enough for real security. ICMP messages are not checked for minimum TTL (which is now required by RFC 5082 6.1.) Icmp messages are passed via .pr_ctlinput upper level protocol hook. Icmp code, originator address (sockaddr *) and part of problem datagramm (received in icmp packet) are passed as arguments. As a result, TTL of ICMP packet is not passed to upper layer proto and TTL security cannot be enforced. What can possibly be done: * New hook .pr_ctlinput2 with additional argument pointing to original ICMP header can be added. After that we convert all base code to use .pr_ctlinput2 and appropriate icmp_input() parts can be changed like this: ctlfunc2 = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput2; if (ctlfunc2) (*ctlfunc2)(code, (struct sockaddr *)&icmpsrc, (void *)&icp->icmp_ip, (void *)icp); else { ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput; if (ctlfunc) (*ctlfunc)(code, (struct sockaddr *)&icmpsrc, (void *)&icp->icmp_ip); } * .pr_ctlinput() can be altered (if it's not too late for 9.x) and some trick like supplying TTL data directly after (struct sockaddr*) can be used as 8.x MFC P.S. We should implement IP_MINTTL variant for IPv6. I can submit patches but this seems to be reasonable only after we got some solution for ICMP security. Linux people added compatible opt for IPv4 in 2.6.34: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d218d11133d888f9745802146a50255a4781d37a .. and IPV6_MINHOPCOUNT for IPv6 in 2.6.35: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e802af9cabb011f09b9c19a82faef3dd315f27eb so we can consider using IPV6_MINHOPCOUNT as appropriate setsockopt name