[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 9 Sep 2008 22:11:33 +0200
From: Andi Kleen <andi@...stfloor.org>
To: David Miller <davem@...emloft.net>
Cc: andi@...stfloor.org, stephen.hemminger@...tta.com,
eugeneteo@...nel.sg, netdev@...r.kernel.org, eteo@...hat.com
Subject: Re: Internet-Draft on Port Randomisation
On Tue, Sep 09, 2008 at 01:04:24PM -0700, David Miller wrote:
> From: Andi Kleen <andi@...stfloor.org>
> Date: Tue, 09 Sep 2008 16:28:30 +0200
>
> > [haven't read the draft] But you don't necessarily need a full global
> > lock for such a scheme. What works too is to access global state only
> > ever N accesses and pre-allocate a small range per CPU. While there's
> > still some global overhead then, it happens significantly less. My old
> > alternative ipid setup algorithm worked this way.
>
> Should work well on a 64K cpu system.
If you make N large enough it can work with pretty much any number of CPUs.
The main drawback is that it's losing random bits the larger N is, but then
64k is not really remotely secure anyways.
Due to the later reason I doubt such a change is very interesting.
Also there's the issue on fully preemptible kernels.
If you wanted a more secure port space what would like make more
sense is to use IPv6 and use e.g. 32bit out of the local network
address space for port randomization too.
-Andi
--
ak@...ux.intel.com
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists