ipv6: add anti-spoofing checks for 6to4 and 6rd - linux-dev - Linux kernel development work

diff options

author	Hannes Frederic Sowa <hannes@stressinduktion.org>	2013-01-29 08:24:25 +0000
committer	David S. Miller <davem@davemloft.net>	2013-01-29 15:22:03 -0500
commit	218774dc341f219bfcf940304a081b121a0e8099 (patch)
tree	3dda133e7c1d25847198fc85108535f0b912a2ed /arch
parent	gianfar: Pack struct gfar_priv_grp into three cachelines (diff)
download	linux-dev-218774dc341f219bfcf940304a081b121a0e8099.tar.xz linux-dev-218774dc341f219bfcf940304a081b121a0e8099.zip

ipv6: add anti-spoofing checks for 6to4 and 6rd

This patch adds anti-spoofing checks in sit.c as specified in RFC3964 section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the checks which could easily be implemented with netfilter. Specifically this patch adds following logic (based loosely on the pseudocode in RFC3964 section 5.2): if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default) and outer_src_v4 != embedded_ipv4 (inner_src_v6) drop if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default) and outer_dst_v4 != embedded_ipv4 (inner_dst_v6) drop accept To accomplish the specified security checks proposed by above RFCs, it is still necessary to employ uRPF filters with netfilter. These new checks only kick in if the employed addresses are within the 2002::/16 or another range specified by the 6rd-prefix (which defaults to 2002::/16). Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Cc: David Miller <davem@davemloft.net> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>

Diffstat (limited to 'arch')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: