| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20090812.205635.244644770.davem@davemloft.net> Date: Wed, 12 Aug 2009 20:56:35 -0700 (PDT) From: David Miller <davem@...emloft.net> To: herbert@...dor.apana.org.au Cc: joamaki@...il.com, netdev@...r.kernel.org Subject: Re: [PATCH] Fix xfrm hash collisions by changing __xfrm4_daddr_saddr_hash to hash addresses with addition From: Herbert Xu <herbert@...dor.apana.org.au> Date: Thu, 13 Aug 2009 13:53:10 +1000 > Take corporate VPN servers for instance. Yes each client is > trusted to the extent that it is being offered connectivity to > the corporate network. However, it would not be ideal if one > rogue client can take down the entire VPN server, especially > in this case because repeatedly creating identical SAs can often > occur purely by accident. 1) The client is on your private network, much more serious mischief is possible. 2) Whoever creates such a hash collision explosion can be precisely identified. The ikev1 failure case is an interesting situation I hadn't considered. Maybe that can matter, but again the guilty party is easy to identify and easy to block via whatever means appropriate. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists