You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be nice to add an option in NPF allowing to drop packets with IPv4/IPv6 options. This is an important yet missing feature, and IPv4/IPv6 options are a significant problem in network security.
The point is that IPv4/IPv6 options are big enablers when it comes to exploitation: they are hard to parse (that is the parser can easily be buggy), and they allow to push the actual payload farther in the mbuf, in a way that makes it a lot easier to exploit buffer overflows.
Two years ago I wrote a patch for that using BPF. Unfortunately I realized it wasn't correct, because when a connection already exists NPF does a pass-through of the packet without applying BPF rules, meaning that the subsequent TCP packets in the stream could have IPv4/IPv6 options and NPF would accept them.
Patch Suggestion
Probably the correct way to proceed is using npf-params, with ip4.drop_options and ip6.drop_options, along the lines of:
/* Retrieve the complete header. */
if ((u_int)(ip->ip_hl << 2) < sizeof(struct ip)) {
return NPC_FMTERR;
}
+ if (npf->ip4_drop_options && (ip->ip_hl != 5)) {
+ return NPC_FMTERR;
+ }
ip = nbuf_ensure_contig(nbuf, (u_int)(ip->ip_hl << 2));
if (ip == NULL) {
return NPC_FMTERR;
}
case IPPROTO_HOPOPTS:
case IPPROTO_DSTOPTS:
case IPPROTO_ROUTING:
+ if (npf->ip6_drop_options) {
+ return NPC_FMTERR;
+ }
hlen = (ip6e->ip6e_len + 1) << 3;
break;
By default I think that IPv4/IPv6 options should be dropped, like PF does.
The text was updated successfully, but these errors were encountered:
Adding ip4.drop_options and ip6.drop_options parameters sounds good. The user should also be able to do rule-based filtering of options, but that is a separate patch.
I'd swap the checks in the first patch fragment, i.e.: if (ip->ip_hl != 5 && npf->ip4_drop_options) ...
Not sure about dropping by default; there are still couple useful options. I would say let's introduce the parameters with defaults being "off" and then initiate a discussion on NetBSD tech-net. Based on the feedback, we can then decide to flip the defaults from "off" to "on".
Description
It would be nice to add an option in NPF allowing to drop packets with IPv4/IPv6 options. This is an important yet missing feature, and IPv4/IPv6 options are a significant problem in network security.
The point is that IPv4/IPv6 options are big enablers when it comes to exploitation: they are hard to parse (that is the parser can easily be buggy), and they allow to push the actual payload farther in the mbuf, in a way that makes it a lot easier to exploit buffer overflows.
Two years ago I wrote a patch for that using BPF. Unfortunately I realized it wasn't correct, because when a connection already exists NPF does a pass-through of the packet without applying BPF rules, meaning that the subsequent TCP packets in the stream could have IPv4/IPv6 options and NPF would accept them.
Patch Suggestion
Probably the correct way to proceed is using npf-params, with
ip4.drop_options
andip6.drop_options
, along the lines of:By default I think that IPv4/IPv6 options should be dropped, like PF does.
The text was updated successfully, but these errors were encountered: