ipv6: add option to drop unicast encapsulated in L2 multicast

In order to solve a problem with 802.11, the so-called hole-196 attack,
add an option (sysctl) called "drop_unicast_in_l2_multicast" which, if
enabled, causes the stack to drop IPv6 unicast packets encapsulated in
link-layer multi- or broadcast frames. Such frames can (as an attack)
be created by any member of the same wireless network and transmitted
as valid encrypted frames since the symmetric key for broadcast frames
is shared between all stations.

Reviewed-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index a53bbfaff1c7488b0893d724965e8bc1a9a28fbf..e0e7350a4e6a9b37f49bac6db0e3332d27bb7ecd 100644 (file)
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1674,6 +1674,12 @@ stable_secret - IPv6 address
 
        By default the stable secret is unset.
 
+drop_unicast_in_l2_multicast - BOOLEAN
+       Drop any unicast IPv6 packets that are received in link-layer
+       multicast (or broadcast) frames.
+
+       By default this is turned off.
+
 icmp/*:
 ratelimit - INTEGER
        Limit the maximal rates for sending ICMPv6 packets.

diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 402753bccafa37b4ec1e597902f608548fbdbd22..4a4c1ae826cbcbea916e62a575b959014329de0e 100644 (file)
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -50,6 +50,7 @@ struct ipv6_devconf {
        __s32           mc_forwarding;
 #endif
        __s32           disable_ipv6;
+       __s32           drop_unicast_in_l2_multicast;
        __s32           accept_dad;
        __s32           force_tllao;
        __s32           ndisc_notify;

diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
index 38b4fef20219242fad287c0379e5ff58b7dedcea..4c413570efe8ddfafc30c40e3f1c429f421aeb08 100644 (file)
--- a/include/uapi/linux/ipv6.h
+++ b/include/uapi/linux/ipv6.h
@@ -174,6 +174,7 @@ enum {
        DEVCONF_USE_OIF_ADDRS_ONLY,
        DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT,
        DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
+       DEVCONF_DROP_UNICAST_IN_L2_MULTICAST,
        DEVCONF_MAX
 };
 

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 38eeddedfc21baa843b315d720cc94a28b6af605..23e325f39f8e99d5e9f6ba16c13ee2ee3e2eef97 100644 (file)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4711,6 +4711,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
        array[DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN] = cnf->ignore_routes_with_linkdown;
        /* we omit DEVCONF_STABLE_SECRET for now */
        array[DEVCONF_USE_OIF_ADDRS_ONLY] = cnf->use_oif_addrs_only;
+       array[DEVCONF_DROP_UNICAST_IN_L2_MULTICAST] = cnf->drop_unicast_in_l2_multicast;
 }
 
 static inline size_t inet6_ifla6_size(void)
@@ -5784,6 +5785,13 @@ static struct addrconf_sysctl_table
                        .mode           = 0644,
                        .proc_handler   = addrconf_sysctl_ignore_routes_with_linkdown,
                },
+               {
+                       .procname       = "drop_unicast_in_l2_multicast",
+                       .data           = &ipv6_devconf.drop_unicast_in_l2_multicast,
+                       .maxlen         = sizeof(int),
+                       .mode           = 0644,
+                       .proc_handler   = proc_dointvec,
+               },
                {
                        /* sentinel */
                }

diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index 9075acf081dda32e30185886714f34f61b0b1f7d..31ac3c56da4ba16f806d4ef234de7599f25a265c 100644 (file)
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -134,6 +134,16 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
            IPV6_ADDR_MC_SCOPE(&hdr->daddr) == 1)
                goto err;
 
+       /* If enabled, drop unicast packets that were encapsulated in link-layer
+        * multicast or broadcast to protected against the so-called "hole-196"
+        * attack in 802.11 wireless.
+        */
+       if (!ipv6_addr_is_multicast(&hdr->daddr) &&
+           (skb->pkt_type == PACKET_BROADCAST ||
+            skb->pkt_type == PACKET_MULTICAST) &&
+           idev->cnf.drop_unicast_in_l2_multicast)
+               goto err;
+
        /* RFC4291 2.7
         * Nodes must not originate a packet to a multicast address whose scope
         * field contains the reserved value 0; if such a packet is received, it