lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Sep 2008 16:27:31 -0400 From: Neil Horman <nhorman@...driver.com> To: Eric Dumazet <dada1@...mosbay.com> Cc: netdev@...r.kernel.org, kuznet@....inr.ac.ru, davem@...emloft.net, pekkas@...core.fi, jmorris@...ei.org, yoshfuji@...ux-ipv6.org, kaber@...sh.net Subject: Re: [PATCH] net: implement emergency route cache rebulds when gc_elasticity is exceeded On Mon, Sep 29, 2008 at 10:22:03PM +0200, Eric Dumazet wrote: > Neil Horman a écrit : >> Hey all- >> We currently have the ability to disable our route cache secret interval >> rebuild timer (by setting it to zero), but if we do that its possible for an >> attacker (if they guess our route cache hash secret, to fill our system with >> routes that all hash to the same bucket, destroying our performance. This patch >> provides a backstop for that issues. In the event that our rebuild interval is >> disabled (or very large), if any hash chain exceeds ip_rt_gc_elasticity, we do >> an emergency hash rebuild. During the hash rebuild we: >> 1) warn the user of the emergency >> 2) disable the rebuild timer >> 3) invalidate the route caches >> 4) re-enable the rebuild timer with its old value >> >> Regards >> Neil > > This sounds not good at all to me. > > 1) Dont set ip_rt_secret_interval to zero, this is plain silly, since > you give attackers infinite time to break your machine. > > To quote Herbert (who allowed to set this interval to 0) > > "Let me first state that disabling the route cache hash rebuild > should not be done without extensive analysis on the risk profile > and careful deliberation. > > However, there are times when this can be done safely or for > testing. For example, when you have mechanisms for ensuring > that offending parties do not exist in your network." > Thats really rather the motivation behind this. The patch that Herbert submitted with that commit explicitly lets one disable their rebuild timer. I agree its stupid to do that, but we added code to allow it. This provides a patch to help people who are victimized because they've done exactly this (additionaly providing them a warning to stop doing it). > > 2) Many machines have ip_rt_gc_elasticity set to 2, > because they have a huge hash table, but low chain depths. Ok, that seem reasonable, and this isn't going to disallow that. By the same resoning, people who have huge hash tables, and low chain depths won't want their low chain length being violated, would they? This patch will warn them if their assumptions are being violated. Neil -- /**************************************************** * Neil Horman <nhorman@...driver.com> * Software Engineer, Red Hat ****************************************************/ -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists