net/tcp: Ignore specific ICMPs for TCP-AO connections - kernel

diff options

author	Dmitry Safonov <[email protected]>	2023-10-23 19:22:08 +0000
committer	David S. Miller <[email protected]>	2023-10-27 09:35:45 +0000
commit	953af8e3acb68d2db11937cec3bc5da31de5c12e (patch)
tree	2c56c02d543050285dd073b65827682066114e26 /net/lapb/lapb_out.c
parent	net/tcp: Add tcp_hash_fail() ratelimited logs (diff)
download	kernel-953af8e3acb68d2db11937cec3bc5da31de5c12e.tar.gz kernel-953af8e3acb68d2db11937cec3bc5da31de5c12e.zip

net/tcp: Ignore specific ICMPs for TCP-AO connections

Similarly to IPsec, RFC5925 prescribes: ">> A TCP-AO implementation MUST default to ignore incoming ICMPv4 messages of Type 3 (destination unreachable), Codes 2-4 (protocol unreachable, port unreachable, and fragmentation needed -- ’hard errors’), and ICMPv6 Type 1 (destination unreachable), Code 1 (administratively prohibited) and Code 4 (port unreachable) intended for connections in synchronized states (ESTABLISHED, FIN-WAIT-1, FIN- WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT) that match MKTs." A selftest (later in patch series) verifies that this attack is not possible in this TCP-AO implementation. Co-developed-by: Francesco Ruggeri <[email protected]> Signed-off-by: Francesco Ruggeri <[email protected]> Co-developed-by: Salam Noureddine <[email protected]> Signed-off-by: Salam Noureddine <[email protected]> Signed-off-by: Dmitry Safonov <[email protected]> Acked-by: David Ahern <[email protected]> Signed-off-by: David S. Miller <[email protected]>

Diffstat (limited to 'net/lapb/lapb_out.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: