Forum: >>> Magnum BBS <<<

IPv6 equivalent of secure_redirects

From Dheeraj Kandula@21:1/5 to All on Thu Jun 16 16:50:01 2022

Hi All,
In IPv4, while validating received ICMPv4 redirects, we use secure_redirects.

When set to 1, the destination router suggested in the redirect message
should be one of the default gateways known to the host.

net.ipv4.conf.all.secure_redirects = 1

*Is there an equivalent one for IPv6? I couldn't find one. *

Also, *is there a check if the source from which the ICMP redirect is sent
is known to us or not.*

I came across the function isatap_chksrc code in net/ipv6/sit.c file. The following lines of code do they ensure that the source is known to the host that received the redirect, or is it part of tunneling code.

if (p) {
if (p->flags & PRL_DEFAULT <https://elixir.bootlin.com/linux/v5.10.122/C/ident/PRL_DEFAULT>)
skb->ndisc_nodetype <https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> = NDISC_NODETYPE_DEFAULT <https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_DEFAULT>;
else
skb->ndisc_nodetype <https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> = NDISC_NODETYPE_NODEFAULT <https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_NODEFAULT>;
} else {
const struct in6_addr <https://elixir.bootlin.com/linux/v5.10.122/C/ident/in6_addr> *addr6 <https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6> = &ipv6_hdr <https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_hdr>(skb)->saddr <https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr>;

if (ipv6_addr_is_isatap <https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_addr_is_isatap>(addr6 <https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>) &&
(addr6 <https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>->s6_addr32
<https://elixir.bootlin.com/linux/v5.10.122/C/ident/s6_addr32>[3] ==
iph <https://elixir.bootlin.com/linux/v5.10.122/C/ident/iph>->saddr <https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr>) &&
ipv6_chk_prefix <https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_chk_prefix>(addr6 <https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6>, t->dev))
skb->ndisc_nodetype <https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype> = NDISC_NODETYPE_HOST <https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_HOST>;
else
ok <https://elixir.bootlin.com/linux/v5.10.122/C/ident/ok> = 0;
}

Dheeraj

<div dir="ltr"><div>Hi All,</div><div> In IPv4, while validating received ICMPv4 redirects, we use secure_redirects. </div><div> </div><div>When set to 1, the destination router suggested in the redirect message should be one of the
default gateways known to the host.</div><div> </div><div>net.ipv4.conf.all.secure_redirects = 1</div><div> </div><div>Is there an equivalent one for IPv6? I couldn't find one. </div><div> </div><div>Also, is there a check if
the source from which the ICMP redirect is sent is known to us or not. </div><div> </div><div>I came across the function isatap_chksrc code in net/ipv6/sit.c file. The following lines
of code do they ensure that the source is known to the host that received the redirect, or is it part of tunneling code.</div><div> </div><div><pre>if (p) {
if (p->flags & <a href="https://elixir.bootlin.
com/linux/v5.10.122/C/ident/PRL_DEFAULT">PRL_DEFAULT</a>)
skb-><a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype">ndisc_nodetype</a> = <a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_DEFAULT">NDISC_NODETYPE_DEFAULT</a>;
else
skb-><a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype">ndisc_nodetype</a> = <a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_NODEFAULT">NDISC_NODETYPE_NODEFAULT</a>;
} else {
const struct <a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/in6_addr">in6_addr</a> *<a href="https://
elixir.bootlin.com/linux/v5.10.122/C/ident/addr6">addr6</a> = &<a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_hdr">ipv6_hdr</a>(skb)-><a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr">saddr</a>;

if (<a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_addr_is_isatap">ipv6_addr_is_isatap</a>(<a
href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6">addr6</a>) &&
(<a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6">addr6</a>-><a href="https://elixir.bootlin.com/linux/v5.10.122/C/
ident/s6_addr32">s6_addr32</a>[3] == <a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/iph">iph</a>
-><a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/saddr">saddr</a>) &&
<a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/ipv6_chk_prefix">ipv6_chk_prefix</a>(<a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/addr6">
addr6</a>, t->dev))
skb-><a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/ndisc_nodetype">ndisc_nodetype</a> = <a href="
https://elixir.bootlin.com/linux/v5.10.122/C/ident/NDISC_NODETYPE_HOST">NDISC_NODETYPE_HOST</a>;
else
<a href="https://elixir.bootlin.com/linux/v5.10.122/C/ident/ok">ok</a> = 0;
} </pre></div><div>Dheeraj </div><div> </div></div>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Thlc
  Sat Sep 13 17:11:34 2025
  from Rognac, France via Telnet
- Thlc
  Sat Sep 13 17:04:03 2025
  from Rognac, France via Telnet
- Thlc
  Sat Sep 13 16:32:19 2025
  from Rognac, France via SSH
- Thlc
  Sat Sep 13 15:41:11 2025
  from Rognac, France via SSH
- Thlc
  Sat Sep 13 07:56:03 2025
  from Rognac, France via SSH
- Gretchiie
  Sat Sep 13 07:22:10 2025
  from Derry, Nh via Telnet
- Thlc
  Sat Sep 13 06:57:56 2025
  from Rognac, France via SSH
- Thlc
  Sat Sep 13 06:47:28 2025
  from Rognac, France via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	546
Nodes:	16 (2 / 14)
Uptime:	148:41:32
Calls:	10,383
Calls today:	8
Files:	14,054
D/L today:	2 files (1,861K bytes)
Messages:	6,417,759

IPv6 equivalent of secure_redirects

Who's Online

Recent Visitors

System Info