IP_MINTTL and RFC5082 (TTL security, GTSM) support

Alexander V. Chernikov melifaro at ipfw.ru
Thu Aug 18 07:33:05 UTC 2011 

Hello list!

FreeBSD supports IP_MINTTL since long ago (5.x ?). This is 
RFC3682-compatible implementation.

It is very simple: if we can associate incoming packet with any socket, 
socket is checked for minimum TTL value existence. If such value exists 
and received packet TTL is lower, packet is dropped.

However, it is not enough for real security. ICMP messages are not 
checked for minimum TTL (which is now required by RFC 5082  6.1.)

Icmp messages are passed via  .pr_ctlinput upper level protocol hook.
Icmp code, originator address (sockaddr *) and part of problem datagramm 
(received in icmp packet) are passed as arguments.

As a result, TTL of ICMP packet is not passed to upper layer proto and 
TTL security cannot be enforced.

What can possibly be done:

* New hook .pr_ctlinput2 with additional argument pointing to original 
ICMP header can be added. After that we convert all base code to use 
.pr_ctlinput2 and appropriate icmp_input() parts can be changed like this:


ctlfunc2 = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput2;
if (ctlfunc2)
   (*ctlfunc2)(code, (struct sockaddr *)&icmpsrc,
         (void *)&icp->icmp_ip, (void *)icp);
else {
   ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput;
     if (ctlfunc)
       (*ctlfunc)(code, (struct sockaddr *)&icmpsrc,
           (void *)&icp->icmp_ip);

}

* .pr_ctlinput() can be altered (if it's not too late for 9.x) and some 
trick like supplying TTL data directly after (struct sockaddr*) can be 
used as 8.x MFC


P.S. We should implement IP_MINTTL variant for IPv6. I can submit 
patches but this seems to be reasonable only after we got some solution 
for ICMP security.

Linux people added compatible opt for IPv4 in 2.6.34:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d218d11133d888f9745802146a50255a4781d37a

.. and  IPV6_MINHOPCOUNT for IPv6 in 2.6.35:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e802af9cabb011f09b9c19a82faef3dd315f27eb

so we can consider using IPV6_MINHOPCOUNT as appropriate setsockopt name

More information about the freebsd-net mailing list