From owner-freebsd-net@FreeBSD.ORG Fri Sep 9 00:48:14 2011 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0104F106566C for ; Fri, 9 Sep 2011 00:48:14 +0000 (UTC) (envelope-from gnn@neville-neil.com) Received: from vps.hungerhost.com (vps.hungerhost.com [216.38.53.176]) by mx1.freebsd.org (Postfix) with ESMTP id CE5F68FC15 for ; Fri, 9 Sep 2011 00:48:13 +0000 (UTC) Received: from [50.12.52.187] (helo=[192.168.1.10]) by vps.hungerhost.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1R1ou9-0004X2-1x; Thu, 08 Sep 2011 20:25:13 -0400 Mime-Version: 1.0 (Apple Message framework v1244.3) Content-Type: text/plain; charset=iso-8859-1 From: George Neville-Neil In-Reply-To: <4E4CC02A.7090104@ipfw.ru> Date: Thu, 8 Sep 2011 20:25:10 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <62A4AFEC-0178-4066-9321-9656281496DE@neville-neil.com> References: <4E4CC02A.7090104@ipfw.ru> To: Alexander V. Chernikov X-Mailer: Apple Mail (2.1244.3) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - vps.hungerhost.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - neville-neil.com Cc: "net@freebsd.org" Subject: Re: IP_MINTTL and RFC5082 (TTL security, GTSM) support X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2011 00:48:14 -0000 On Aug 18, 2011, at 03:32 , Alexander V. Chernikov wrote: > Hello list! >=20 > FreeBSD supports IP_MINTTL since long ago (5.x ?). This is = RFC3682-compatible implementation. >=20 > It is very simple: if we can associate incoming packet with any = socket, socket is checked for minimum TTL value existence. If such value = exists and received packet TTL is lower, packet is dropped. >=20 > However, it is not enough for real security. ICMP messages are not = checked for minimum TTL (which is now required by RFC 5082 6.1.) >=20 > Icmp messages are passed via .pr_ctlinput upper level protocol hook. > Icmp code, originator address (sockaddr *) and part of problem = datagramm (received in icmp packet) are passed as arguments. >=20 > As a result, TTL of ICMP packet is not passed to upper layer proto and = TTL security cannot be enforced. >=20 > What can possibly be done: >=20 > * New hook .pr_ctlinput2 with additional argument pointing to original = ICMP header can be added. After that we convert all base code to use = .pr_ctlinput2 and appropriate icmp_input() parts can be changed like = this: >=20 >=20 > ctlfunc2 =3D inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput2; > if (ctlfunc2) > (*ctlfunc2)(code, (struct sockaddr *)&icmpsrc, > (void *)&icp->icmp_ip, (void *)icp); > else { > ctlfunc =3D inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput; > if (ctlfunc) > (*ctlfunc)(code, (struct sockaddr *)&icmpsrc, > (void *)&icp->icmp_ip); >=20 > } >=20 > * .pr_ctlinput() can be altered (if it's not too late for 9.x) and = some trick like supplying TTL data directly after (struct sockaddr*) can = be used as 8.x MFC >=20 >=20 > P.S. We should implement IP_MINTTL variant for IPv6. I can submit = patches but this seems to be reasonable only after we got some solution = for ICMP security. >=20 > Linux people added compatible opt for IPv4 in 2.6.34: > = http://git.kernel.org/?p=3Dlinux/kernel/git/torvalds/linux-2.6.git;a=3Dcom= mitdiff;h=3Dd218d11133d888f9745802146a50255a4781d37a >=20 > .. and IPV6_MINHOPCOUNT for IPv6 in 2.6.35: >=20 > = http://git.kernel.org/?p=3Dlinux/kernel/git/torvalds/linux-2.6.git;a=3Dcom= mitdiff;h=3De802af9cabb011f09b9c19a82faef3dd315f27eb >=20 > so we can consider using IPV6_MINHOPCOUNT as appropriate setsockopt = name Sounds good. Do you have a patch already? It seems like you might. Best, George