| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100318105939.57f8d377@nehalam> Date: Thu, 18 Mar 2010 10:59:39 -0700 From: Stephen Hemminger <shemminger@...tta.com> To: Pekka Savola <pekkas@...core.fi> Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: [PATCH] tcp: Generalized TTL Security Mechanism On Thu, 18 Mar 2010 08:36:48 +0200 (EET) Pekka Savola <pekkas@...core.fi> wrote: > Hi, > > On Sun, 10 Jan 2010, Stephen Hemminger wrote: > > This patch adds the kernel portions needed to implement > > RFC 5082 Generalized TTL Security Mechanism (GTSM). > > It is a lightweight security measure against forged > > packets causing DoS attacks (for BGP). > ... > > It's nice to see this added. However, I must add that a compliant RFC > 5082 implementation is required to have similar TTL treatment for ICMP > errors which relate to the protected session. AFAIK this does not > support that. > > The experimental, earlier spec (GTSH, RFC3682) did not have this > requirement. Most if not all implementations support only GTSH mode. > So a backward-compatibility option may be desirable. The ICMP receive error handling does need to be updated. But any application using GTSM should be setting IP_TTL socket option to set send TTL. But, not sure if Linux TCP ever sends ICMP for existing sessions at all. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists