| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 07 Sep 2012 15:47:15 +0200 From: Nicolas Dichtel <nicolas.dichtel@...nd.com> To: David Miller <davem@...emloft.net> CC: vyasevich@...il.com, sri@...ibm.com, linux-sctp@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH] sctp: check dst validity after IPsec operations Le 06/09/2012 20:10, David Miller a écrit : > From: Nicolas Dichtel <nicolas.dichtel@...nd.com> > Date: Thu, 6 Sep 2012 13:40:29 -0400 > >> dst stored in struct sctp_transport needs to be recalculated when ipsec policy >> are updated. We use flow_cache_genid for that. >> >> For example, if a SCTP connection is established and then an IPsec policy is >> set, the old SCTP flow will not be updated and thus will not use the new >> IPsec policy. >> >> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@...nd.com> > > I don't like that SCTP need to perform special DST validation. Ipv6 do the same: inet6_csk_xmit()->inet6_csk_route_socket()->__inet6_csk_dst_check() -> compare flow_cache_genid and rt6i_flow_cache_genid. > > The normal DST validation mechanism already in place should be > sufficient. I don't find why TCP recalculate the route, but it's not immediate, we should wait a little. > > Otherwise this problem must exist in other protocols too, and > fixing a tree wide issue privately inside of one protocol is > not acceptable. I will propose another patch. Regards, Nicolas -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists