| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20071204.233432.136250076.davem@davemloft.net> Date: Tue, 04 Dec 2007 23:34:32 -0800 (PST) From: David Miller <davem@...emloft.net> To: herbert@...dor.apana.org.au Cc: simon@...e.lp0.eu, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: sockets affected by IPsec always block (2.6.23) From: Herbert Xu <herbert@...dor.apana.org.au> Date: Wed, 5 Dec 2007 18:16:07 +1100 > Right. This is definitely bad for protocols without a retransmission > mechanism. > > However, is the 0 setting ever useful for TCP and in particular, TCP's > connect(2) call? Perhaps we can just make that one always drop. TCP has some built-in assumptions about characteristics of interent links and what constitutes a timeout which is "too long" and should thus result in a full connection failure. IPSEC changes this because of IPSEC route resolution via ISAKMP. With this in mind I can definitely see people preferring the "block until IPSEC resolves" behavior, especially for something like, say, periodic remote backups and stuff like that where you really want the thing to just sit and wait for the connect() to succeed instead of failing. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists