[LEDE-DEV] [PATCH 1/3] Remove ttl==255 restriction for queries

Matthias May matthias.may at neratec.com
Fri Sep 29 02:49:17 PDT 2017 

On 29/09/17 10:28, Syrone Wong wrote:
> The sad truth is it has been pushed via
> https://github.com/lede-project/source/commit/00e9a7aacb66b3f00df2002e8210bdb5086d2e0c
> 
> 
> Best Regards,
> Syrone Wong
> 
> 
> On Fri, Sep 29, 2017 at 3:52 PM, Bjørn Mork <bjorn at mork.no> wrote:
>> Note that security is the usual (only?) reason one would enforce TTL=255.
>> Requiring TTL=255 is the same as guaranteeing that the packet source is
>> in the same L2 domain.  This prevents any direct remote attack.
>>
>> Please do not propose any patches removing such a restriction without at
>> least explaining why this can be done without negative security
>> implications. Thanks
>>
>>
>>
>> Bjørn
>>
>> _______________________________________________
>> Lede-dev mailing list
>> Lede-dev at lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/lede-dev
> 
> _______________________________________________
> Lede-dev mailing list
> Lede-dev at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/lede-dev
> 

Why are you sad that this got merged?
It fixes compatibility with current implementations of mDNS.

The link from Philip Prindeville shows quite well why this removal was required:
[quote]
check-response-ttl= Takes a boolean value ("yes" or "no"). If set to "yes", an additional security check is activated:
incoming IP packets will be ignored unless the IP TTL is 255. Earlier mDNS specifications required this check. Since
this feature may be incompatible with newer implementations of mDNS it defaults to "no". On the other hand it provides
extra security.
[/quote]

Since most people update their distributions, thus have a "newer implementation of mDNS", umdns was kind of broken in
this regards.

While unfortunate that the actual patch which got merged didn't have the explanation why the patch was done, if you look
at the mailing list archive you will see that there was a thread discussing this topic:
http://lists.infradead.org/pipermail/lede-dev/2017-September/009004.html

The restriction of IP TTL == 255 applies to responses, but not to queries.
See RFC6762 chapter 11 for more.

BR
Matthias

More information about the Lede-dev mailing list