Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need to shield the module from malformed packets further. #40

Closed
ydahhrk opened this issue May 14, 2013 · 4 comments
Closed

Need to shield the module from malformed packets further. #40

ydahhrk opened this issue May 14, 2013 · 4 comments
Assignees
@ydahhrk
Milestone
3.0.1 (First stable)

Comments

@ydahhrk
Copy link
Member

ydahhrk commented May 14, 2013

Test case ID: N/A
Date: 2013/05/14
OS: N/A
Tester: AL
Error module: core, translate_packet
Description: Considering we'll eventually have to skip the kernel's packet defragmentation module, our validation routines are too weak. In order to avoid wild pointers, we'll have to ensure the next and length fields are consistent both in network and transport headers.
Observations: These validations need to be applied to ICMP inner packets too.
@ghost ghost assigned ydahhrk May 14, 2013
ydahhrk added a commit that referenced this issue May 16, 2013
@ydahhrk
Strengthening validations (issue #40).
cc87e95 
Done validating outer packets. Still have a ways to go for inner ones.
@magg
Copy link
Contributor

magg commented May 21, 2013

Dude,

Why are you skipping the kernel's packet defragmentation function?

You could grab packets with the NF_INET_LOCAL_IN hook and receive only defragmented packets... or use conntrack but it seems it got removed... :(

@ydahhrk
Copy link
Member Author

ydahhrk commented May 22, 2013

Because if the kernel reassembles the fragments for us, we lose the MTU computed during path MTU discovery. And that means we won't know the ideal fragment size when we need to refragment the packet. If the NAT64 picks an incorrect MTU, it could become a black hole.
IPv6 routers don't do fragmentation anyway (the NAT64 is a router), which means any reassembled packet from an incoming IPv4 interface would invariably be discarded as soon as it reaches IPv6 and needs to be fragmented.
I'm assuming these are the reasons why RFC 6146 never suggests the NAT64 should reassemble fragments (Except from zero-checksum UDP fragments). It says "translate all fragments at the same time", which is different.

ydahhrk added a commit that referenced this issue May 22, 2013
@ydahhrk
Issues #38 and #40.
5e845e7 
- The NAT64 now validates inner packets.
- The NAT64 now drops ICMP inside ICMP. This will be fixed in
future iterations.
@ydahhrk ydahhrk closed this as completed May 22, 2013
@magg
Copy link
Contributor

magg commented May 27, 2013

I always thought PMTUD was meant to avoid fragmentation...

source: http://packetlife.net/blog/2008/aug/18/path-mtu-discovery/

@ydahhrk
Copy link
Member Author

ydahhrk commented May 27, 2013

Yup, my mistake; sorry.
But the IPv4-reassembled -> IPv6-refragment problem remains.
Since this issue is a little unrelated, I've opened a new one. Please continue the discussion in issue #59.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ydahhrk ydahhrk

Labels
None yet
Projects
None yet
Milestone
3.0.1 (First stable)
Development

No branches or pull requests
2 participants
@magg @ydahhrk