Page MenuHomeFreeBSD

Add Router and Prefix table limits.
AcceptedPublic

Authored by bz on Dec 6 2019, 9:58 PM.

Details

Summary

Implement limit checks for ND6 default routers, and ND6 prefixes learnt.
This avoids easy attacks exhausting resources, e.g., memory.

Limits are only setable on the base system and not on a
per-VNET base to avoid a VNET opening itself up as a target
for DoS taking the entire system down. Should there be a
need for per-VNET limits we can either do as frag6 and have
a system global maximum sum for all VNETs and a per-VNET
one, or we could implement a SYSCTL_PROC not allowing a VNET
to go beyond the global (per-VNET) limit.

In the end the goal here is to avoid a panic and not to provide
all possible counter measures. For some cases network
infrastructure could help a lot easier than we could with 100s
of lines of code.

PR: 157410
Sponsored by: Netflix (originally)

This is extracted from D22447.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 29788
Build 27622: arc lint + arc unit

Event Timeline

sys/netinet6/nd6_rtr.c
1133

If we have a an existing router dropping it preference (high -> low) in "overflow" condition, we would update dr in the beginning, but fail to maintain sort order for V_nd6_defrouter.

Can we restrict this check to dr == NULL use case?

Update (move sysctls to the top of the file).
Implement excluding dr pref updates from the resource limits as suggested by @melifaro.

bz marked an inline comment as done.Mar 4 2020, 7:17 PM
bz added inline comments.
sys/netinet6/nd6_rtr.c
1133

Sorry it took me so long to update this. To much on the plate.

sys/netinet6/nd6_rtr.c
124

Sorry for commenting on it lately. There is a use case with router and many IPv6 interfaces that I'd like to discuss.

As the size check is done in nd6_prelist_add(), it is traversed by both nd6_ra_input() and SIOCAIFADDR_IN6 codepath. The latter may result in inability to configure more than 64 IPv6-enabled interfaces by default.
Would it be possible to introduce some check (no expiration time?) that permits static configuration regardless of the variable value? Could you also consider something like nd6_ra_prefixes_max sysctl name, to indicate the review intent (DoS protection, but not the overall IPv6 limit)?

LGTM, if we can raise default nd6_prefixes_max limit to a higher value (256, 1024), to avoid tweaking potentially existing setups.

This revision is now accepted and ready to land.Sep 3 2020, 9:50 PM
markj added inline comments.
sys/netinet6/nd6_rtr.c
108

Aren't these per-VNET limits?

124

Indeed, I think we should only apply the limit to prefixes added via router advertisements.

I believe expiration time cannot be used to determine whether to count the prefix against the limit, since there is nothing disallowing routers from advertising prefixes with infinite lifetimes. For now we could add a new NDPRF_ flag to indicate whether the prefix was generated from a router advertisement.

128

Extra newline.