From: Tom Herbert <t...@quantonium.net> Date: Mon, 30 Oct 2017 14:16:00 -0700
> RFC 8200 (IPv6) defines Hop-by-Hop options and Destination options > extension headers. Both of these carry a list of TLVs which is > only limited by the maximum length of the extension header (2048 > bytes). By the spec a host must process all the TLVs in these > options, however these could be used as a fairly obvious > denial of service attack. I think this could in fact be > a significant DOS vector on the Internet, one mitigating > factor might be that many FWs drop all packets with EH (and > obviously this is only IPv6) so an Internet wide attack might not > be so effective (yet!). ... > This patch adds configurable limits to Destination and Hop-by-Hop > options. There are three limits that may be set: > - Limit the number of options in a Hop-by-Hop or Destination options > extension header. > - Limit the byte length of a Hop-by-Hop or Destination options > extension header. > - Disallow unrecognized options in a Hop-by-Hop or Destination > options extension header. > > The limits are set in corresponding sysctls: > > ipv6.sysctl.max_dst_opts_cnt > ipv6.sysctl.max_hbh_opts_cnt > ipv6.sysctl.max_dst_opts_len > ipv6.sysctl.max_hbh_opts_len ... > Signed-off-by: Tom Herbert <t...@quantonium.net> Applied to net-next, let's see how this goes. Thanks.
