8000 ipoe: implement some rfc3046 specifications by louis-6wind · Pull Request #106 · accel-ppp/accel-ppp · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

ipoe: implement some rfc3046 specifications #106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related e 8000 mails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

ipoe: implement some rfc3046 specifications #106

wants to merge 8 commits into from

Conversation

louis-6wind
Copy link
Contributor
@louis-6wind louis-6wind commented Aug 31, 2023
edited
Loading

Add rfc3046 optional specifications about relay agent. In bold, RFC mandatory

  • add a trust-agent-info configuration option. If unset, accel-ppp discards incoming requests that have a giaddr or an option 82
  • only add option 82 to packet that was not yet relayed (giaddr unset)
  • discard packets that spoof the local giaddr
  • do not replace the giaddr of a already relayed packet (giaddr was already present)

Also contain the #105 fix

@louis-6wind
ipoe: fix echoing back dhcp option 82
251db45 
RFC3046 says:

> The Relay Agent Information option [82] echoed by a server MUST be removed
> by either the relay agent or the trusted downstream network element
> which added it when forwarding a server-to-client response back to
> the client.

985cb9f ("ipoe: dhcpv4: echo back opt82 if sent by client/unknown
relay per rfc3046") was supposed to implement this requirement. However,
it does not work because dhcpv4_relay_send() modifies the original
incoming request before relaying it.

Fix the requirement conformity by working on a copy of the original
request in dhcpv4_relay_send().

Tested with the dhtest tool with and without an option 82:

> ./dhtest -i ens3
> ./dhtest -c 82,hex,010876786c312e31313102104147454e542d52454d4f54452d49443105040a0f4002 -i ens3

Fixes: 985cb9f ("ipoe: dhcpv4: echo back opt82 if sent by client/unknown relay per rfc3046")
Link: https://www.rfc-editor.org/rfc/rfc3046.html#section-2.1
Link: https://github.com/saravana815/dhtest
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
@louis-6wind
ipoe: add a trusted-circuit option
a79ab50 
RFC3046 distinguishes "trusted" and "untrusted" circuits from which a
DHCP request can come:

> The mechanisms for distinguishing between "trusted" and "untrusted"
> circuits are specific to the type of circuit termination equipment,
> and may involve local administration.  For example, a Cable Modem
> Termination System may consider upstream packets from most cable
> modems as "untrusted", but an ATM switch terminating VCs switched
> through a DSLAM may consider such VCs as "trusted" and accept a relay
> agent option added by the DSLAM.

Add a global and per interface trusted-circuit configuration option to
define whether the agent information, such as the giaddr and the option
82, in incoming DHCP requests should be trusted.

Security will be enforced on next commits on untrusted interfaces.
Default the value to 1 (trust) to keep the current behavior.

Link: https://www.rfc-editor.org/rfc/rfc3046.html#section-2.1
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
@louis-6wind
ipoe: discard untrusted dhcp requests with giaddr
d0b847d 
DHCP clients must send DHCP requests with a giaddr set to 0. giaddr
must be only set by a relay agent.

Discard client to server DHCP packets with a non zero giaddr received on
an interface on which the agent information value are untrusted.

Tested with:

> ./dhtest --giaddr 10.66.252.247 -i ens3

Got:

> Aug 31 17:36:12 DHCP-RELAY accel-pppd[345]: recv discarded - giaddr recvd on untrusted circuit [DHCPv4 Discover xid=40690d12 giaddr=10.66.252.247 chaddr=0c:be:37:a4:00:00 <Message-Type Discover> <Request-List Subnet,Broadcast,Router,Domain-Name,DNS>]

Link: https://www.rfc-editor.org/rfc/rfc2131#page-37
Link: https://github.com/saravana815/dhtest
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
@louis-6wind
ipoe: discard untrusted dhcp requests with option 82
8288d29 
RFC3046 about the DHCP option 82 says:

> Relay agents receiving a DHCP packet from an untrusted circuit with
> giaddr set to zero (indicating that they are the first-hop router)
> but with a Relay Agent Information option already present in the
> packet SHALL discard the packet and increment an error count.

Discard client to server DHCP packets containing the option 82 received
on an interface on  which the agent information value are untrusted.

Tested with:
> ./dhtest -c 82,hex,010876786c312e31313102104147454e542d52454d4f54452d49443105040a0f4002 -i ens3

Got:
> Aug 31 17:40:17 DHCP-RELAY accel-ppp[345]: recv discarded - option 82 recvd on untrusted circuit [DHCPv4 Discover xid=59e1ef0e chaddr=0c:be:37:a4:00:00 <Message-Type Discover> <Request-List Subnet,Broadcast,Router,Domain-Name,DNS> <Relay-Agent {Agent-Circuit-ID vxl1.111} {Agent-Remote-ID AGENT-REMOTE-ID1} {Link-Selection 10.15.64.2}>]

Link: https://www.rfc-editor.org/rfc/rfc3046.html#section-2.1
Link: https://github.com/saravana815/dhtest
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
@louis-6wind
ipoe: discard DHCP requests spoofing giaddr
1ed1e2a 
RFC3046 says:

> Relay agents configured to add a Relay Agent option which receive a
> client DHCP packet with a nonzero giaddr SHALL discard the packet if
> the giaddr spoofs a giaddr address implemented by the local agent
> itself.

Discard DHCP incoming DHCP requests that spoofs giaddr if the Relay
Agent option 82 is configured.

Tested with a spoofed giaddr and trusted-circuit=1 in config:
> ./dhtest --giaddr 10.66.252.247 -i ens3

Link: https://www.rfc-editor.org/rfc/rfc3046.html#section-2.1.1
Link: https://github.com/saravana815/dhtest
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
@louis-6wind
ipoe: do not add option 82 if giaddr is set
cb03df5 
RFC3046 says:

> [...] the relay agent SHALL forward any received DHCP packet
> with a valid non-zero giaddr WITHOUT adding any relay agent options.

Do not add relay agent options 82 if giaddr is set.

Tested with a spoofed giaddr, link-selection=1.1.1.1 and
trusted-circuit=1 in config:
> ./dhtest --giaddr 10.66.252.247 -i ens3

Link: https://www.rfc-editor.org/rfc/rfc3046.html#section-2.1.1
Link: https://github.com/saravana815/dhtest
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
@louis-6wind
ipoe: do not replace a valid giaddr
54341ec 
RFC3046 says:

> [...] the relay agent SHALL forward any received DHCP packet
> with a valid non-zero giaddr WITHOUT adding any relay agent options.
> Per RFC 2131, it shall also NOT modify the giaddr value.

Do not replace a valid giaddr.

Tested with a spoofed giaddr and trusted-circuit=1 in config:
> ./dhtest --giaddr 10.66.252.247 -i ens3

Link: https://www.rfc-editor.org/rfc/rfc3046.html#section-2.1.1
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
@louis-6wind
man: add trusted-circuit documentation
3d0ac98 
Add trusted-circuit documentation

Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@louis-6wind
0