[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

IPv6 equivalent of secure_redirects

Hi All,
      In IPv4, while validating received ICMPv4 redirects, we use secure_redirects.

When set to 1, the destination router suggested in the redirect message should be one of the default gateways known to the host.

net.ipv4.conf.all.secure_redirects = 1

Is there an equivalent one for IPv6? I couldn't find one.

Also, is there a check if the source from which the ICMP redirect is sent is known to us or not.

I came across the function isatap_chksrc code in net/ipv6/sit.c file. The following lines of code do they ensure that the source is known to the host that received the redirect, or is it part of tunneling code.

if (p) {
		if (p->flags & PRL_DEFAULT)
			skb->ndisc_nodetype = NDISC_NODETYPE_DEFAULT;
		else
			skb->ndisc_nodetype = NDISC_NODETYPE_NODEFAULT;
	} else {
		const struct in6_addr *addr6 = &ipv6_hdr(skb)->saddr;

		if (ipv6_addr_is_isatap(addr6) &&
		    (addr6->s6_addr32[3] == iph->saddr) &&
		    ipv6_chk_prefix(addr6, t->dev))
			skb->ndisc_nodetype = NDISC_NODETYPE_HOST;
		else
			ok = 0;
	}

Dheeraj

Reply to: