Re: Limit the number of Router Advertisements processed on an interface

[Dheeraj Kandula <dkandula@gmail.com>]

Does a Linux machine know that a Router Advertisement didn't come from a default router?

I tried to send 2 RA packets using Scapy with the destination as ff02::1. One packet I sent using the source address of the default router, while the other using a lower LLA.

The default routes were not generated. How did Linux figure it out? Is there a way to know the errors that were hit? I don't know where the "ND_PRINTK" outputs go for the function "ndisc_router_discovery". How do I enable tracing for ND prints. I looked into "dmesg" but there were no logs there.

Dheeraj

On Wed, Jun 15, 2022 at 12:27 PM Dheeraj Kandula <dkandula@gmail.com> wrote:

Thanks Marc.  This is a requirement.

Thus I will conclude that the kernel doesn't limit the number of RAs. I have to figure out a way to do this from user space.

Dheeraj

On Wed, Jun 15, 2022 at 11:49 AM Marc Haber <mh+debian-ipv6@zugschlus.de> wrote:

On Wed, Jun 15, 2022 at 10:23:18AM -0400, Dheeraj Kandula wrote:
> This is to avoid DOS attacks using RAs from being bombarded onto a linux
> machine.

You have malicious users on your LAN and cannot do anything against
them?

(RAs are link local communication and should not pass over routers,
thus, RAs must originate in the local network).

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421