Commit 509aba3b authored by FX Le Bail's avatar FX Le Bail Committed by David S. Miller
Browse files

IPv6: add the option to use anycast addresses as source addresses in echo reply 

This change allows to follow a recommandation of RFC4942.

- Add "anycast_src_echo_reply" sysctl to control the use of anycast addresses
  as source addresses for ICMPv6 echo reply. This sysctl is false by default
  to preserve existing behavior.
- Add inline check ipv6_anycast_destination().
- Use them in icmpv6_echo_reply().

Reference:
RFC4942 - IPv6 Transition/Coexistence Security Considerations
   (http://tools.ietf.org/html/rfc4942#section-2.1.6

)

2.1.6. Anycast Traffic Identification and Security

   [...]
   To avoid exposing knowledge about the internal structure of the
   network, it is recommended that anycast servers now take advantage of
   the ability to return responses with the anycast address as the
   source address if possible.

Signed-off-by: default avatarFrancois-Xavier Le Bail <fx.lebail@yahoo.com>
Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9ba75fb0

Documentation/networking/ip-sysctl.txt

+7 −0
Original line number Diff line number Diff line
@@ -1094,6 +1094,13 @@ bindv6only - BOOLEAN 


	Default: FALSE (as specified in RFC3493)



anycast_src_echo_reply - BOOLEAN

	Controls the use of anycast addresses as source addresses for ICMPv6

	echo reply

	TRUE:  enabled

	FALSE: disabled

	Default: FALSE



IPv6 Fragmentation:



ip6frag_high_thresh - INTEGER

include/net/ip6_route.h

+7 −0
Original line number Diff line number Diff line
@@ -152,6 +152,13 @@ static inline bool ipv6_unicast_destination(const struct sk_buff *skb) 
	return rt->rt6i_flags & RTF_LOCAL;

}



static inline bool ipv6_anycast_destination(const struct sk_buff *skb)

{

	struct rt6_info *rt = (struct rt6_info *) skb_dst(skb);



	return rt->rt6i_flags & RTF_ANYCAST;

}



int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *));



static inline int ip6_skb_dst_mtu(struct sk_buff *skb)

include/net/netns/ipv6.h

+1 −0
Original line number Diff line number Diff line
@@ -73,6 +73,7 @@ struct netns_ipv6 { 
#endif

	atomic_t		dev_addr_genid;

	atomic_t		rt_genid;

	int			anycast_src_echo_reply;

};



#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)

net/ipv6/icmp.c

+3 −1
Original line number Diff line number Diff line
@@ -556,7 +556,9 @@ static void icmpv6_echo_reply(struct sk_buff *skb) 


	saddr = &ipv6_hdr(skb)->daddr;



	if (!ipv6_unicast_destination(skb))

	if (!ipv6_unicast_destination(skb) &&

	    !(net->ipv6.anycast_src_echo_reply &&

	      ipv6_anycast_destination(skb)))

		saddr = NULL;



	memcpy(&tmp_hdr, icmph, sizeof(tmp_hdr));

net/ipv6/sysctl_net_ipv6.c

+8 −0
Original line number Diff line number Diff line
@@ -24,6 +24,13 @@ static struct ctl_table ipv6_table_template[] = { 
		.mode		= 0644,

		.proc_handler	= proc_dointvec

	},

	{

		.procname	= "anycast_src_echo_reply",

		.data		= &init_net.ipv6.anycast_src_echo_reply,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec

	},

	{ }

};
@@ -51,6 +58,7 @@ static int __net_init ipv6_sysctl_net_init(struct net *net) 
	if (!ipv6_table)

		goto out;

	ipv6_table[0].data = &net->ipv6.sysctl.bindv6only;

	ipv6_table[1].data = &net->ipv6.anycast_src_echo_reply;



	ipv6_route_table = ipv6_route_sysctl_init(net);

	if (!ipv6_route_table)

CRA Git | Maintained and supported by SUSTech CRA and CCSE