[PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd

[PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd

[Hannes Frederic Sowa]

This patch adds anti-spoofing checks in sit.c as specified in RFC3964
section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
checks which could easily be implemented with netfilter.

Specifically this patch adds following logic (based loosely on the
pseudocode in RFC3964 section 5.2):

if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default)
        and outer_src_v4 != embedded_ipv4 (inner_src_v6)
                drop
if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default)
        and outer_dst_v4 != embedded_ipv4 (inner_dst_v6)
                drop
accept

To accomplish the specified security checks proposed by above RFCs,
it is still necessary to employ uRPF filters with netfilter. These new
checks only kick in if the employed addresses are within the 2002::/16 or
another range specified by the 6rd-prefix (which defaults to 2002::/16).

Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
 net/ipv6/sit.c | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index cfba99b..5a09f13 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -73,6 +73,8 @@ static int ipip6_tunnel_init(struct net_device *dev);
 static void ipip6_tunnel_setup(struct net_device *dev);
 static void ipip6_dev_free(struct net_device *dev);
 static struct rtnl_link_ops sit_link_ops __read_mostly;
+static inline __be32 try_6rd(const struct in6_addr *v6dst,
+			     struct ip_tunnel *tunnel);
 
 static int sit_net_id __read_mostly;
 struct sit_net {
@@ -590,6 +592,22 @@ out:
 	return err;
 }
 
+static int sit_chk_encap_addr(struct ip_tunnel *tunnel, const __be32 *addr,
+			      const struct in6_addr *addr6)
+{
+#ifdef CONFIG_IPV6_SIT_6RD
+	if (ipv6_prefix_equal(addr6, &tunnel->ip6rd.prefix,
+			      tunnel->ip6rd.prefixlen) &&
+	    *addr != try_6rd(addr6, tunnel))
+		return 0;
+#else
+	if (addr6->s6_addr16[0] == htons(0x2002) &&
+	    *addr != try_6rd(addr6, tunnel))
+		return 0;
+#endif
+	return 1;
+}
+
 static int ipip6_rcv(struct sk_buff *skb)
 {
 	const struct iphdr *iph;
@@ -613,8 +631,15 @@ static int ipip6_rcv(struct sk_buff *skb)
 		skb->protocol = htons(ETH_P_IPV6);
 		skb->pkt_type = PACKET_HOST;
 
-		if ((tunnel->dev->priv_flags & IFF_ISATAP) &&
-		    !isatap_chksrc(skb, iph, tunnel)) {
+		if (tunnel->dev->priv_flags & IFF_ISATAP) {
+			if (!isatap_chksrc(skb, iph, tunnel)) {
+				tunnel->dev->stats.rx_errors++;
+				goto out;
+			}
+		} else if (!sit_chk_encap_addr(tunnel, &iph->saddr,
+					       &ipv6_hdr(skb)->saddr) ||
+			   !sit_chk_encap_addr(tunnel, &iph->daddr,
+					       &ipv6_hdr(skb)->daddr)) {
 			tunnel->dev->stats.rx_errors++;
 			goto out;
 		}
-- 
1.7.11.7

Re: [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd

[YOSHIFUJI Hideaki]

(2013年01月19日 05:04), Hannes Frederic Sowa wrote:
> This patch adds anti-spoofing checks in sit.c as specified in RFC3964
> section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
> checks which could easily be implemented with netfilter.
> 
> Specifically this patch adds following logic (based loosely on the
> pseudocode in RFC3964 section 5.2):
> 
> if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default)
>         and outer_src_v4 != embedded_ipv4 (inner_src_v6)
>                 drop
> if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default)
>         and outer_dst_v4 != embedded_ipv4 (inner_dst_v6)
>                 drop
> accept
> 
> To accomplish the specified security checks proposed by above RFCs,
> it is still necessary to employ uRPF filters with netfilter. These new
> checks only kick in if the employed addresses are within the 2002::/16 or
> another range specified by the 6rd-prefix (which defaults to 2002::/16).

It seems this breaks 6rd receiving rules:

BR:
	if (outer src ip4 != embedded src ip4)
		drop();
CE:
	if (outer src ip4 != embedded src ip4 ||
	    inner dest ip6 != configured ip6 prefix)
		drop();

No?

--yoshfuji

Re: [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd

[Hannes Frederic Sowa]

On Sat, Jan 19, 2013 at 10:35:49AM +0900, YOSHIFUJI Hideaki wrote:
> (2013年01月19日 05:04), Hannes Frederic Sowa wrote:
> > This patch adds anti-spoofing checks in sit.c as specified in RFC3964
> > section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
> > checks which could easily be implemented with netfilter.
> > 
> > Specifically this patch adds following logic (based loosely on the
> > pseudocode in RFC3964 section 5.2):
> > 
> > if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default)
> >         and outer_src_v4 != embedded_ipv4 (inner_src_v6)
> >                 drop
> > if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default)
> >         and outer_dst_v4 != embedded_ipv4 (inner_dst_v6)
> >                 drop
> > accept
> > 
> > To accomplish the specified security checks proposed by above RFCs,
> > it is still necessary to employ uRPF filters with netfilter. These new
> > checks only kick in if the employed addresses are within the 2002::/16 or
> > another range specified by the 6rd-prefix (which defaults to 2002::/16).
> 
> It seems this breaks 6rd receiving rules:
> 
> BR:
> 	if (outer src ip4 != embedded src ip4)
> 		drop();
> CE:
> 	if (outer src ip4 != embedded src ip4 ||
> 	    inner dest ip6 != configured ip6 prefix)
> 		drop();
> 
> No?

Could you give me a concrete example? I have tested this patch on BR
and CE with different 6rd prefixes (and lengths) and have not seen
any breakage. Perhaps I am missing something.

Thanks,

  Hannes

Re: [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd

[Hannes Frederic Sowa]

Hello!

On Sat, Jan 19, 2013 at 10:35:49AM +0900, YOSHIFUJI Hideaki wrote:
> It seems this breaks 6rd receiving rules:
> 
> BR:
> 	if (outer src ip4 != embedded src ip4)
> 		drop();

Of course, this would break 6rd as would it break 6to4. Note here, that
I also check for the inner ipv6 prefix. This check is only done, if the
inner ipv6 prefix matches a) the 6to4 prefix or b) the 6rd prefix. In 6rd,
as in 6to4, communication between 6rd nodes should take place directly,
without need for a relay. (Otherwise packets would get dropped, because
both source and destination ipv6 address would be in the 6rd/6to4 prefix
and the ipv4 addresses would not match, because one of them would be
the relay address.)

> CE:
> 	if (outer src ip4 != embedded src ip4 ||
> 	    inner dest ip6 != configured ip6 prefix)
> 		drop();

Dito, would also break 6to4. Every packet from non-6rd domain would
violate this rule. I do also check the 6rd/6to4 prefix in this case.

In general, if the inner ipv6 address, regardless of source or
destination, does not match the 6rd/6to4 prefix, the packet will pass
without further checks from my patch.

> 
> No?

I think that the distinction between BR and CE would make thinks just
more complicated. Also 6rd can be seen as a superset of 6to4 and should
not make any changes to the receiving rules, except being more tight.

Thanks,

  Hannes

Re: [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd

[David Miller]

From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Thu, 17 Jan 2013 21:07:33 +0100

> +#ifdef CONFIG_IPV6_SIT_6RD
> +	if (ipv6_prefix_equal(addr6, &tunnel->ip6rd.prefix,
> +				tunnel->ip6rd.prefixlen) &&
> +		*addr != try_6rd(addr6, tunnel))
> +		return 0;
> +#else
> +	if (addr6->s6_addr16[0] == htons(0x2002) &&
> +		*addr != try_6rd(addr6, tunnel))
> +		return 0;
> +#endif
> +	return 1;
> +}
 ...
> +		} else if (!sit_chk_encap_addr(tunnel, &iph->saddr,
> +					&ipv6_hdr(skb)->saddr) ||
> +			!sit_chk_encap_addr(tunnel, &iph->daddr,
> +				&ipv6_hdr(skb)->daddr)) {

None of these conditionals are indented properly, please fix this up.
Both conditionals and function calls that span multiple lines must use
the column after the openning parenthesis of the initial line as the
left justification of subsequent lines.

I see what you're doing, just using TAB characters exclusively to
ident, don't do that.  You must use the appropriate combination of
TAB and space characters to achieve the correct indentaiton.

Re: [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd

[Hannes Frederic Sowa]

On Fri, Jan 18, 2013 at 12:44:11AM +0900, YOSHIFUJI Hideaki wrote:
> It seems wrong.  Check should be done for
> - inner source prefix
> - embedded source with relay_prefix.
> - inner destination prefix.
> 
> Note: embedded destination is not being checked.

I fixed the handling of the embedded IPv4 in case of using 6rd
with prefixlen != 16. I'll investigate on how to easily implement
further address checks without breaking 6in4. I don't know if this is
possible without a further flag on the tunnel interface controlling
source/destination address checking.

[PATCH RFC] ipv6: add anti-spoofing checks for 6to4 and 6rd

This patch adds anti-spoofing checks in sit.c as specified in RFC3964
section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
checks which could easily be implemented with netfilter.

Specifically this patch adds following logic (based loosely on the
pseudocode in RFC3964 section 5.2):

if prefix (inner_src_v6) == rd6_prefix (2002::/16 is the default)
	and outer_src_v4 != embedded_ipv4 (inner_src_v6)
		drop
if prefix (inner_dst_v6) == rd6_prefix (or 2002::/16 is the default)
	and outer_dst_v4 != embedded_ipv4 (inner_dst_v6)
		drop
accept

To accomplish the specified security checks proposed by above RFCs,
it is still necessary to employ uRPF filters with netfilter. These new
checks only kick in if the employed addresses are within the 2002::/16 or
another range specified by the 6rd-prefix (which defaults to 2002::/16).

Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
 net/ipv6/sit.c | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index cfba99b..7942e81 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -73,6 +73,8 @@ static int ipip6_tunnel_init(struct net_device *dev);
 static void ipip6_tunnel_setup(struct net_device *dev);
 static void ipip6_dev_free(struct net_device *dev);
 static struct rtnl_link_ops sit_link_ops __read_mostly;
+static inline __be32 try_6rd(const struct in6_addr *v6dst,
+			struct ip_tunnel *tunnel);
 
 static int sit_net_id __read_mostly;
 struct sit_net {
@@ -590,6 +592,22 @@ out:
 	return err;
 }
 
+static int sit_chk_encap_addr(struct ip_tunnel *tunnel, const __be32 *addr,
+		const struct in6_addr *addr6)
+{
+#ifdef CONFIG_IPV6_SIT_6RD
+	if (ipv6_prefix_equal(addr6, &tunnel->ip6rd.prefix,
+				tunnel->ip6rd.prefixlen) &&
+		*addr != try_6rd(addr6, tunnel))
+		return 0;
+#else
+	if (addr6->s6_addr16[0] == htons(0x2002) &&
+		*addr != try_6rd(addr6, tunnel))
+		return 0;
+#endif
+	return 1;
+}
+
 static int ipip6_rcv(struct sk_buff *skb)
 {
 	const struct iphdr *iph;
@@ -613,8 +631,15 @@ static int ipip6_rcv(struct sk_buff *skb)
 		skb->protocol = htons(ETH_P_IPV6);
 		skb->pkt_type = PACKET_HOST;
 
-		if ((tunnel->dev->priv_flags & IFF_ISATAP) &&
-		    !isatap_chksrc(skb, iph, tunnel)) {
+		if (tunnel->dev->priv_flags & IFF_ISATAP) {
+			if (!isatap_chksrc(skb, iph, tunnel)) {
+				tunnel->dev->stats.rx_errors++;
+				goto out;
+			}
+		} else if (!sit_chk_encap_addr(tunnel, &iph->saddr,
+					&ipv6_hdr(skb)->saddr) ||
+			!sit_chk_encap_addr(tunnel, &iph->daddr,
+				&ipv6_hdr(skb)->daddr)) {
 			tunnel->dev->stats.rx_errors++;
 			goto out;
 		}
-- 
1.7.11.7

Re: [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd

[Hannes Frederic Sowa]

On Fri, Jan 18, 2013 at 12:44:11AM +0900, YOSHIFUJI Hideaki wrote:
> Hannes Frederic Sowa wrote:
> > This patch adds anti-spoofing checks in sit.c as specified in RFC3964
> > section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
> > checks which could easily be implemented with netfilter.
> > 
> > Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
> > ---
> >  net/ipv6/sit.c | 27 +++++++++++++++++++++++++--
> >  1 file changed, 25 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
> > index cfba99b..2b4c15a 100644
> > --- a/net/ipv6/sit.c
> > +++ b/net/ipv6/sit.c
> > @@ -590,6 +590,22 @@ out:
> >  	return err;
> >  }
> >  
> > +static int sit_chksrc(struct ip_tunnel *tunnel, const __be32 *addr,
> > +		const struct in6_addr *addr6)
> > +{
> > +#ifdef CONFIG_IPV6_SIT_6RD
> > +	if (ipv6_prefix_equal(addr6, &tunnel->ip6rd.prefix,
> > +				tunnel->ip6rd.prefixlen) &&
> > +		memcmp(addr, &addr6->s6_addr16[1], 4))
> > +		return 0;
> > +#else
> > +	if (addr6->s6_addr16[0] == htons(0x2002) &&
> > +		memcmp(addr, &addr6->s6_addr16[1], 4))
> > +		return 0;
> > +#endif
> > +	return 1;
> >
> 
> It seems wrong.  Check should be done for
> - inner source prefix

I intentionally skipped this check because it could be easily checked
with netfilter (after decapsulation) and I am a bit afraid breaking
already working setups with non-standard prefixes. Do you think I should
add this check anyway?

> - embedded source with relay_prefix.

I'll use try_6rd to extract the ipv4 address and check it against the
outer address. I will check this later if I have access to my test setup.

> - inner destination prefix.
>
> Note: embedded destination is not being checked.

Also left these checks out because of the same reasons I stated above. Should
they be added?

Thanks for the review!

Re: [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd

[YOSHIFUJI Hideaki]

Hannes Frederic Sowa wrote:
> This patch adds anti-spoofing checks in sit.c as specified in RFC3964
> section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
> checks which could easily be implemented with netfilter.
> 
> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
> ---
>  net/ipv6/sit.c | 27 +++++++++++++++++++++++++--
>  1 file changed, 25 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
> index cfba99b..2b4c15a 100644
> --- a/net/ipv6/sit.c
> +++ b/net/ipv6/sit.c
> @@ -590,6 +590,22 @@ out:
>  	return err;
>  }
>  
> +static int sit_chksrc(struct ip_tunnel *tunnel, const __be32 *addr,
> +		const struct in6_addr *addr6)
> +{
> +#ifdef CONFIG_IPV6_SIT_6RD
> +	if (ipv6_prefix_equal(addr6, &tunnel->ip6rd.prefix,
> +				tunnel->ip6rd.prefixlen) &&
> +		memcmp(addr, &addr6->s6_addr16[1], 4))
> +		return 0;
> +#else
> +	if (addr6->s6_addr16[0] == htons(0x2002) &&
> +		memcmp(addr, &addr6->s6_addr16[1], 4))
> +		return 0;
> +#endif
> +	return 1;
>

It seems wrong.  Check should be done for
- inner source prefix
- embedded source with relay_prefix.
- inner destination prefix.

Note: embedded destination is not being checked.

--yoshfuji

Re: [PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd

[Hannes Frederic Sowa]

On Thu, Jan 17, 2013 at 04:32:58AM +0100, Hannes Frederic Sowa wrote:
> +static int sit_chksrc(struct ip_tunnel *tunnel, const __be32 *addr,
> +		const struct in6_addr *addr6)
> +{
> +#ifdef CONFIG_IPV6_SIT_6RD
> +	if (ipv6_prefix_equal(addr6, &tunnel->ip6rd.prefix,
> +				tunnel->ip6rd.prefixlen) &&
> +		memcmp(addr, &addr6->s6_addr16[1], 4))
> +		return 0;

This is wrong. David, please drop my patch, sorry. I will respin another one.
In 6rd setups one can, of course, have longer prefixlens than 16.

Thanks!

[PATCH] ipv6: add anti-spoofing checks for 6to4 and 6rd

[Hannes Frederic Sowa]

This patch adds anti-spoofing checks in sit.c as specified in RFC3964
section 5.2 for 6to4 and RFC5969 section 12 for 6rd. I left out the
checks which could easily be implemented with netfilter.

Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
 net/ipv6/sit.c | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index cfba99b..2b4c15a 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -590,6 +590,22 @@ out:
 	return err;
 }
 
+static int sit_chksrc(struct ip_tunnel *tunnel, const __be32 *addr,
+		const struct in6_addr *addr6)
+{
+#ifdef CONFIG_IPV6_SIT_6RD
+	if (ipv6_prefix_equal(addr6, &tunnel->ip6rd.prefix,
+				tunnel->ip6rd.prefixlen) &&
+		memcmp(addr, &addr6->s6_addr16[1], 4))
+		return 0;
+#else
+	if (addr6->s6_addr16[0] == htons(0x2002) &&
+		memcmp(addr, &addr6->s6_addr16[1], 4))
+		return 0;
+#endif
+	return 1;
+}
+
 static int ipip6_rcv(struct sk_buff *skb)
 {
 	const struct iphdr *iph;
@@ -613,8 +629,15 @@ static int ipip6_rcv(struct sk_buff *skb)
 		skb->protocol = htons(ETH_P_IPV6);
 		skb->pkt_type = PACKET_HOST;
 
-		if ((tunnel->dev->priv_flags & IFF_ISATAP) &&
-		    !isatap_chksrc(skb, iph, tunnel)) {
+		if (tunnel->dev->priv_flags & IFF_ISATAP) {
+			if (!isatap_chksrc(skb, iph, tunnel)) {
+				tunnel->dev->stats.rx_errors++;
+				goto out;
+			}
+		} else if (!sit_chksrc(tunnel, &iph->saddr,
+					&ipv6_hdr(skb)->saddr) ||
+			!sit_chksrc(tunnel, &iph->daddr,
+				&ipv6_hdr(skb)->daddr)) {
 			tunnel->dev->stats.rx_errors++;
 			goto out;
 		}
-- 
1.7.11.7