Discussion:
CVS commit: src/sys/netinet6
(too old to reply)
Pavel Cahyna
2007-05-18 21:05:17 UTC
Permalink
Module Name: src
Committed By: yamt
Date: Thu May 17 11:48:43 UTC 2007
src/sys/netinet6: ip6_input.c ip6_var.h route6.c
remove net.inet6.ip6.rht0 sysctl.
it's too dangerous compared to its benefit.
I disagree with this. What danger is there that is not enough taken care
of by having the RH0 processing controllable by sysctl? (n. b. even
disabled by default!)

Also, I don't recall RH0 support being optional.

Pavel

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
YAMAMOTO Takashi
2007-05-20 07:38:19 UTC
Permalink
Post by Pavel Cahyna
Module Name: src
Committed By: yamt
Date: Thu May 17 11:48:43 UTC 2007
src/sys/netinet6: ip6_input.c ip6_var.h route6.c
remove net.inet6.ip6.rht0 sysctl.
it's too dangerous compared to its benefit.
I disagree with this. What danger is there that is not enough taken care
of by having the RH0 processing controllable by sysctl? (n. b. even
disabled by default!)
Also, I don't recall RH0 support being optional.
Pavel
have you read the pdf referenced in a comment?
don't you agree that it shouldn't be enabled?
if you agree, what's the point of having a sysctl knob which
shouldn't be enabled?

YAMAMOTO Takashi

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Pavel Cahyna
2007-05-20 08:09:21 UTC
Permalink
Post by YAMAMOTO Takashi
Post by Pavel Cahyna
Module Name: src
Committed By: yamt
Date: Thu May 17 11:48:43 UTC 2007
src/sys/netinet6: ip6_input.c ip6_var.h route6.c
remove net.inet6.ip6.rht0 sysctl.
it's too dangerous compared to its benefit.
I disagree with this. What danger is there that is not enough taken care
of by having the RH0 processing controllable by sysctl? (n. b. even
disabled by default!)
Also, I don't recall RH0 support being optional.
Pavel
have you read the pdf referenced in a comment?
Yes.
Post by YAMAMOTO Takashi
don't you agree that it shouldn't be enabled?
No, though I agree it should be disabled by default.
Post by YAMAMOTO Takashi
if you agree, what's the point of having a sysctl knob which
shouldn't be enabled?
YAMAMOTO Takashi
Pavel

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
JINMEI Tatuya / 神明達哉
2007-05-21 06:13:07 UTC
Permalink
At Sun, 20 May 2007 08:09:21 +0000,
Post by Pavel Cahyna
Post by YAMAMOTO Takashi
Post by Pavel Cahyna
Also, I don't recall RH0 support being optional.
have you read the pdf referenced in a comment?
Yes.
Post by YAMAMOTO Takashi
don't you agree that it shouldn't be enabled?
No, though I agree it should be disabled by default.
I personally don't necessarily object to removing sysctl at this
stage, but I don't think the risk of keeping it (with the default
being "disable") at the moment is that high in reality either.

Keeping the sysctl knob does real harm if all of the following
condition are met:

- the administrator explicitly turns it on again
- the attacker finds the address of the node that re-enables the
feature (it's not always so easy)
- two such nodes are close enough (if there are many hops between
them, the amplification factor is limited), and
- the entire path between the two nodes is broad enough (since the
amplification effect is bound by the narrowest bandwidth in the path)

I understand the risk of underestimating the threat level, but I don't
think it's very easy for an attacker to ensure all of these conditions
hold.

Meanwhile, there should still be many "unpatched" implementations that
can be exploited. Until the number of such implementations decreases
to some negligible point, just removing a sysctl knob which disables
the feature by default wouldn't contribute to reducing the whole risk
much.

Having said that, I agree there are not so many (if any) useful and
widely deployed applications of the type 0 routing header, so I'd not
necessarily oppose to removing the knob now.

My point however is that the decision does not seem so obvious to me
that we can just commit it by stating "it's too dangerous compared to
its benefit". I hope the decision was actually made via more
intensive consideration about the tradeoff between the real threat and
the benefit rather than a knee-jerk response that the simply commit
log may indicate.

BTW, it now looks that the IETF is reaching a consensus of deprecating
the type 0 routing header. If this actually happens, this change will
just conform to the new standard (and will be "officially" justified).

JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
***@isl.rdc.toshiba.co.jp

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Pavel Cahyna
2007-05-22 06:55:32 UTC
Permalink
Post by JINMEI Tatuya / 神明達哉
At Sun, 20 May 2007 08:09:21 +0000,
Post by Pavel Cahyna
Post by YAMAMOTO Takashi
Post by Pavel Cahyna
Also, I don't recall RH0 support being optional.
have you read the pdf referenced in a comment?
Yes.
Post by YAMAMOTO Takashi
don't you agree that it shouldn't be enabled?
No, though I agree it should be disabled by default.
I personally don't necessarily object to removing sysctl at this
stage, but I don't think the risk of keeping it (with the default
being "disable") at the moment is that high in reality either.
Keeping the sysctl knob does real harm if all of the following
- the administrator explicitly turns it on again
- the attacker finds the address of the node that re-enables the
feature (it's not always so easy)
- two such nodes are close enough (if there are many hops between
them, the amplification factor is limited), and
- the entire path between the two nodes is broad enough (since the
amplification effect is bound by the narrowest bandwidth in the path)
One should add that RH0 must not be filtered on the path between the
attacker and the node which re-enables the feature to make attacks
feasible.

The application I have in mind is to enable the feature on routers in
some administrative area and filter it at the border of this area, to
have a backup solution if dynamic routing breaks.

(I have suffered from broken dynamic routing often in community wireless
networks.)

Pavel

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Mihai Chelaru
2007-05-22 15:56:37 UTC
Permalink
remove net.inet6.ip6.rht0 sysctl.
it's too dangerous compared to its benefit.
This is inconsistent with IPv4. We have there net.inet.ip.{allow,forw}srcrt. I
don't believe we should decide what part of a standardized protocol we should
implement and what not only by reading a security advisory. Also, this _IS_
sometimes an usefull option although probably not for general use. If IETF
decides to deprecate it, fine, take it out. Until then I think it should be
controlled by a sysctl and disabled by default.
--
Mihai Chelaru

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...