All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stas Sergeev <stsp@list.ru>
To: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Cc: netdev <netdev@vger.kernel.org>
Subject: Re: Q: bad routing table cache entries
Date: Tue, 29 Dec 2015 15:43:44 +0300	[thread overview]
Message-ID: <56828000.9040703@list.ru> (raw)
In-Reply-To: <20151229123229.GA22743@oracle.com>

29.12.2015 15:32, Sowmini Varadhan пишет:
> On (12/29/15 15:06), Stas Sergeev wrote:
>> Router on 192.168.8.1 is just a PC with ubuntu, w/o any special
>> software. I'd be very surprised if it does so. As I understand,
>> linux would accept such ICMP redirect only from the router, or
>> could someone else also send them?
> 
> If someone elase can spoof redirects on your network, you have
> a much bigger network management problem- at that point, how can you
> trust anything, e.g., a default rdisc rtradv?
Well, I have /proc/sys/net/ipv4/conf/all/secure_redirects set to 1,
so it should be a router I suppose. But this is strange and I wonder
why does it do so very rarely (but that's something for me to investigate).

>> But what worries me more, is the question:
>> Should the linux kernel really silently accept those, breaking
>> the routing in a completely unexpected ways? Isn't it a bug?
> 
> How is the receiver supposed to know that the redirect was "bad"?
> 
> In your example, you claimed that
> 
> a "good" redirect was:
>      ip route get 91.189.89.237
>      91.189.89.237 via 192.168.8.1 dev eth0  src 192.168.10.202
>          cache
> 
> but a "bad" one was:
> 
>     ip route get 91.189.89.238
>     91.189.89.238 via 192.168.0.1 dev eth0  src 192.168.10.202
>         cache <redirected>
> 
> Its not clear to me what the netmask on eth0 is - is this a /16
But I demonstrated the netmask in a very first posting, and here it is:

ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:50:43:00:0b:e0
          inet addr:192.168.10.202  Bcast:192.168.11.255  Mask:255.255.252.0


> (in which case both redirs are "good" as far as the receiver can tell)?
> Are the 2 gws also on a /16? or something longer?
Yes, the problem is exactly that: the mask is longer.
So the route is bad, and the packets are routed to the "lo"
interface instead - I checked that with tcpdump.

>> The sanity check against netmask looks trivial, so why it is not there?
> 
> According to rfc1812 (pg 82-84)
> 
>    Routers MUST NOT generate a Redirect Message unless all the following
>    conditions are met:
> 
>    o The packet is being forwarded out the same physical interface that
>       it was received from,
> 
>    o The IP source address in the packet is on the same Logical IP
>       (sub)network as the next-hop IP address, and
> 
>    o The packet does not contain an IP source route option.
> 
> The second condition seems to have been violated by the router. I 
> suppose it might not hurt if the receiver can do some sanity checking
> on the redirect but this might not eliminate every error, since
> it might not be possible to detect netmask mismatch in every case.
Not sure what case you mean, but at least as simple error as I am
having, should be possible to detect.

  reply	other threads:[~2015-12-29 12:51 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-29 10:54 Q: bad routing table cache entries Stas Sergeev
2015-12-29 11:58 ` Sowmini Varadhan
2015-12-29 12:06   ` Stas Sergeev
2015-12-29 12:32     ` Sowmini Varadhan
2015-12-29 12:43       ` Stas Sergeev [this message]
2015-12-29 13:19 ` Stas Sergeev
2015-12-29 15:22 ` Sowmini Varadhan
2015-12-29 15:38   ` Stas Sergeev
2015-12-29 17:40     ` Stas Sergeev
2015-12-30 12:42   ` Stas Sergeev
2015-12-30 14:17     ` Eric Dumazet
2015-12-30 17:56       ` David Miller
2016-01-04  1:05     ` Sowmini Varadhan
2016-01-04  1:32       ` Stas Sergeev
2016-01-04 17:23       ` Stas Sergeev
2016-01-12 14:40   ` Stas Sergeev
2016-01-12 14:47     ` Sowmini Varadhan
2016-01-12 20:33       ` David Miller
2016-01-12 15:34 ` Hannes Frederic Sowa
2016-01-12 15:52   ` Hannes Frederic Sowa
2016-01-12 16:03     ` Stas Sergeev
2016-01-12 16:10       ` Hannes Frederic Sowa
2016-01-12 16:42         ` Stas Sergeev
2016-01-12 16:56           ` Stas Sergeev
2016-01-12 17:06             ` Hannes Frederic Sowa
2016-01-12 17:18               ` Stas Sergeev
2016-01-12 17:26                 ` Hannes Frederic Sowa
2016-01-12 17:33                   ` Stas Sergeev
2016-01-12 17:47                     ` Hannes Frederic Sowa
2016-01-12 20:43                       ` Stas Sergeev
2016-01-12 22:26                         ` Hannes Frederic Sowa
2016-01-12 22:57                           ` Stas Sergeev
2016-01-12 23:07                             ` Hannes Frederic Sowa
2016-01-13 12:59                               ` Stas Sergeev
2016-01-12 17:41                   ` Stas Sergeev
2016-01-12 15:57   ` Stas Sergeev
  -- strict thread matches above, loose matches on Subject: below --
2015-12-28 15:26 Stas Sergeev

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56828000.9040703@list.ru \
    --to=stsp@list.ru \
    --cc=netdev@vger.kernel.org \
    --cc=sowmini.varadhan@oracle.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.