[ovs-dev] [IPv6 6/7] nicira-ext: Support matching IPv6 Neighbor Discovery messages.
Justin Pettit
jpettit at nicira.com
Sat Jan 22 20:58:14 UTC 2011
On Jan 22, 2011, at 8:24 AM, Ben Pfaff wrote:
> On Sat, Jan 22, 2011 at 2:49 AM, Justin Pettit <jpettit at nicira.com> wrote:
>> On Jan 21, 2011, at 2:56 PM, Ben Pfaff wrote:
>>> Also in parse_icmpv6(), what's the proper handling of an ND message with
>>> duplicate ND_OPT_SOURCE_LL_ADDR or ND_OPT_TARGET_LL_ADDR options? This
>>> could be a security issue, if different implementations do it
>>> differently.
>>
>> Yeah, the same thing had occurred to me. Here's the only thing RFC 2461 says about it:
>>
>> Options in Neighbor Discovery packets can appear in any order;
>> receivers MUST be prepared to process them independently of their
>> order. There can also be multiple instances of the same option in a
>> message (e.g., Prefix Information options).
>>
>> So, really, there's no answer about what to do in these circumstances that I could determine.
>
> Hmm, I'd be tempted to consider it an error and reject it.
That is my initial reaction, too. (My original set of IPv6 patches took a more aggressive stance towards only forwarding traffic that we know is good.) However, I think we decided that we should really be acting in a "switch" mode (as opposed to an "IPS"-like mode) and only dropping packets that we know match a rule that the user defined and not performing any kind of sanitization. I'm certainly open to discussing this further, though.
--Justin
More information about the dev
mailing list