IP_MINTTL and RFC5082 (TTL security, GTSM) support

George Neville-Neil gnn at neville-neil.com
Fri Sep 9 00:48:14 UTC 2011 

On Aug 18, 2011, at 03:32 , Alexander V. Chernikov wrote:

> Hello list!
> 
> FreeBSD supports IP_MINTTL since long ago (5.x ?). This is RFC3682-compatible implementation.
> 
> It is very simple: if we can associate incoming packet with any socket, socket is checked for minimum TTL value existence. If such value exists and received packet TTL is lower, packet is dropped.
> 
> However, it is not enough for real security. ICMP messages are not checked for minimum TTL (which is now required by RFC 5082  6.1.)
> 
> Icmp messages are passed via  .pr_ctlinput upper level protocol hook.
> Icmp code, originator address (sockaddr *) and part of problem datagramm (received in icmp packet) are passed as arguments.
> 
> As a result, TTL of ICMP packet is not passed to upper layer proto and TTL security cannot be enforced.
> 
> What can possibly be done:
> 
> * New hook .pr_ctlinput2 with additional argument pointing to original ICMP header can be added. After that we convert all base code to use .pr_ctlinput2 and appropriate icmp_input() parts can be changed like this:
> 
> 
> ctlfunc2 = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput2;
> if (ctlfunc2)
>  (*ctlfunc2)(code, (struct sockaddr *)&icmpsrc,
>        (void *)&icp->icmp_ip, (void *)icp);
> else {
>  ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput;
>    if (ctlfunc)
>      (*ctlfunc)(code, (struct sockaddr *)&icmpsrc,
>          (void *)&icp->icmp_ip);
> 
> }
> 
> * .pr_ctlinput() can be altered (if it's not too late for 9.x) and some trick like supplying TTL data directly after (struct sockaddr*) can be used as 8.x MFC
> 
> 
> P.S. We should implement IP_MINTTL variant for IPv6. I can submit patches but this seems to be reasonable only after we got some solution for ICMP security.
> 
> Linux people added compatible opt for IPv4 in 2.6.34:
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d218d11133d888f9745802146a50255a4781d37a
> 
> .. and  IPV6_MINHOPCOUNT for IPv6 in 2.6.35:
> 
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e802af9cabb011f09b9c19a82faef3dd315f27eb
> 
> so we can consider using IPV6_MINHOPCOUNT as appropriate setsockopt name

Sounds good.  Do you have a patch already?  It seems like you might.

Best,
George

More information about the freebsd-net mailing list