lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 04 Jun 2015 15:56:25 -0700 (PDT)
From:	David Miller <davem@...hat.com>
To:	tom@...bertland.com
Cc:	netdev@...r.kernel.org
Subject: Re: [PATCH v6 net-next 00/11] net: Increase inputs to flow_keys
 hashing

From: Tom Herbert <tom@...bertland.com>
Date: Thu, 4 Jun 2015 09:16:35 -0700

> This patch set adds new fields to the flow_keys structure and hashes
> over these fields to get a better flow hash. In particular, these
> patches now include hashing over the full IPv6 addresses in order
> to defend against address spoofing that always results in the
> same hash. The new input also includes the Ethertype, L4 protocol,
> VLAN, flow label, GRE keyid, and MPLS entropy label.
> 
> In order to increase hash inputs, we switch to using jhash2
> which operates an an array of u32's. jhash2 operates on multiples of
> three words. The data in the hash is constructed for that, and there
> are are two variants for IPv4 and Ipv6 addressing. For IPv4 addresses,
> jhash is performed over six u32's and for IPv6 it is done over twelve.
> 
> flow_keys can store either IPv4 or IPv6 addresses (addr_proto field
> is a selector). ipv6_addr_hash is no longer used to convert addresses
> for setting in flow table. For legacy uses of flow keys outside of
> flow_dissector the flow_get_u32_src and flow_get_u32_dst functions
> have been added to get u32 representation representations of addresses
> in flow_keys.
> 
> For flow lables we also eliminate the short circuit in flow_dissector
> for non-zero flow label. The flow label is now considered additional
> input to ports.
> 
> Testing: Ran netperf TCP_RR for 200 flows using IPv4 and IPv6 comparing
> before the patches and with the patches. Did not detect any performance
> degradation.

Series applied, thanks Tom.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ