| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 06 Jun 2011 12:29:12 -0700 (PDT) From: David Miller <davem@...emloft.net> To: eric@...it.org Cc: eric.dumazet@...il.com, netdev@...r.kernel.org Subject: Re: [RFC PATCHv2] ipv6: implementation of reverse path filtering From: Eric Leblond <eric@...it.org> Date: Mon, 6 Jun 2011 19:53:25 +0200 > This patch provides a basic implementation of reverse path filtering > for IPv6. Functionnality can be activatedor desactivated through an > rp_filter entry similar to the IPv4 one. > > The functionnality is disabled by default for backward compatibility > but should be enable on all IPv6 routers/firewalls for security reason. > > This implementation is heavily based on the patch Denis Semmau proposed > in 2006. > > Signed-off-by: Eric Leblond <eric@...it.org> Do you know that this will make every forwarding route lookup up to 3 times slower? And you're not even caching the result like we do in ipv4, so every single forwarded PACKET, eats this overhead. Also, when enabled, this often breaks IPSEC. Frankly, when I remove the routing cache from ipv4, I want to get rid of RP filtering entirely. I think the BSD guys did the right thing, and put this in the firewalling code. Then people can add a forwarding rule that does this reverse path lookup, and the rest of the world doesn't need to eat this overhead. Finally, I want you to tell everyone why you want this change. People might find a less painful way to fix that issue. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists