Commit 9d289715 authored by Hagen Paul Pfeifer's avatar Hagen Paul Pfeifer Committed by David S. Miller
Browse files

ipv6: stop sending PTB packets for MTU < 1280 

Reduce the attack vector and stop generating IPv6 Fragment Header for
paths with an MTU smaller than the minimum required IPv6 MTU
size (1280 byte) - called atomic fragments.

See IETF I-D "Deprecating the Generation of IPv6 Atomic Fragments" [1]
for more information and how this "feature" can be misused.

[1] https://tools.ietf.org/html/draft-ietf-6man-deprecate-atomfrag-generation-00



Signed-off-by: default avatarFernando Gont <fgont@si6networks.com>
Signed-off-by: default avatarHagen Paul Pfeifer <hagen@jauu.net>
Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 2061dcd6

net/ipv6/route.c

+2 −5
Original line number Diff line number Diff line
@@ -1160,12 +1160,9 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, struct sock *sk, 
		struct net *net = dev_net(dst->dev);



		rt6->rt6i_flags |= RTF_MODIFIED;

		if (mtu < IPV6_MIN_MTU) {

			u32 features = dst_metric(dst, RTAX_FEATURES);

		if (mtu < IPV6_MIN_MTU)

			mtu = IPV6_MIN_MTU;

			features |= RTAX_FEATURE_ALLFRAG;

			dst_metric_set(dst, RTAX_FEATURES, features);

		}



		dst_metric_set(dst, RTAX_MTU, mtu);

		rt6_update_expires(rt6, net->ipv6.sysctl.ip6_rt_mtu_expires);

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE