Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1367533 - Default route can leak cjdns packets
Summary: Default route can leak cjdns packets
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: cjdns
Version: 26
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Stuart D Gathman
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-16 16:34 UTC by Stuart D Gathman
Modified: 2018-05-23 00:26 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-23 00:26:05 UTC


Attachments (Terms of Use)

Description Stuart D Gathman 2016-08-16 16:34:35 UTC
Description of problem:
If cjdns does not create a tun interface, then fc00::/8 packets will go to the default route.  If the default gateway runs cjdroute, then pinging and connecting to the default gateway will "work" - but the packets are not encrypted or authenticated.

Version-Release number of selected component (if applicable):
cjdns-17.4-6.fc24.x86_64

How reproducible:
always

Steps to Reproduce:
1. with cjdns stopped, ping cjdns IP of gateway
2.
3.

Actual results:
unencrypted connectivity

Expected results:
no routing of cjdns IPs with cjdroute down

Additional info:
This does not depend on Fedora version.  Apps on the gateway will see an ICANN source ip, and a firewall on the gateway could block forwarding between ICANN <-> cjdns ips.  

This bug is basically indicating a need for some kind of simple firewall or routing hack that the package can install without breaking any non-cjdns configuration.

Comment 1 Fedora End Of Life 2017-07-25 22:28:24 UTC
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

Comment 2 Stuart D Gathman 2017-07-25 22:36:32 UTC
Still outstanding.

Comment 3 kaotiskhund 2017-09-13 21:15:03 UTC
(In reply to Stuart D Gathman from comment #2)
> Still outstanding.

Does this still happens in later versions?

Comment 4 Stuart D Gathman 2017-09-13 23:15:11 UTC
It's not a bug in cjdns itself, but in system configuration.  I'd like to make it more foolproof for new users, so they are not exposed if they don't pay much attention to their firewall.  Basically, the firewall needs to block fc00::/8 when not coming from the cjdns tun device - if you are relying in any way on those IPs being authenticated and end-to-end encrypted.  I haven't thought of a bulletproof way to drop that in as a default.

On a different, but similar note, I just discovered that the default configuration on squid allows fc00::/7 unrestricted use of the proxy.  I noticed that unknown entities on cjdns had been using one of my proxies to download stuff (mostly from Russia it looks like - I don't recognize any of the sites).  I'll have to add a warning about that to the cjdns README.

Comment 5 Stuart D Gathman 2017-09-13 23:19:53 UTC
Note - one very simple way to avoid this problem is to use 2000::/3 instead of :: for your default route.  That is what I do, and I think I could at least recommend it at this point in the cjdns README (based on a reasonable length of experience).  But I can't have the package go monkeying with people's default route on install...

Comment 6 Stuart D Gathman 2017-09-13 23:30:09 UTC
What about this idea: the rpm checks for a default route, and issues a warning referencing a more detailed description in the Fedora cjdns README - where I recommend *not* having a default route, but using 2000::/3 instead.  Would that enlighten new users?  Or confuse and scare them?

Note, that this issue applies to *any* VPN where you whitelist VPN ips for some service and the VPN is down.  It is not unique to cjdns.  It's just an easy security hole to fall into.

Comment 7 Stuart D Gathman 2017-09-14 12:25:08 UTC
I've updated the Fedora README with these two sections:

### Routing security

If cjdns is not running, cjdns packets will get routed in plaintext
to your default gateway by default.  An attacker could then play
man-in-the-middle.  If your default gateway is running cjdns, this
could even happen accidentally.

This can be blocked by restricting ```fc00::/8``` to the interface
used by cjdroute in the firewall.   An even simpler solution is
to not have a "default" route.  Instead route ```2000::/3``` to your
gateway.  All globally routable ips begin with ```001``` as the first
three bits.

### Application security

The squid cache package default config allows ```fc00::/7``` unrestricted
access to the proxy.  If the proxy port is not otherwise firewalled,
you probably want to change this to ```fd00::/8``` when using cjdns
on the proxy server.  Apart from that default config, squid works very
well with cjdns - you can allow specific cjdns ips unrestricted access:

```
acl adultpcs src fc25:dede:dede:dede:dede:dede:dede:dede
acl adultpcs src fc37:daaa:daaa:daaa:daaa:daaa:daaa:daaa
http_access allow adultpcs
```

Comment 8 Fedora End Of Life 2018-05-03 08:48:00 UTC
This message is a reminder that Fedora 26 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 26. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '26'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 26 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.


Note You need to log in before you can comment on or make changes to this bug.