lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <E1OAB1B-0002ar-Dp@smtp.tuxdriver.com>
Date:	Thu, 6 May 2010 20:02:06 -0400
From:	nhorman@...l.tuxdriver.com
To:	"Eric Dumazet" <eric.dumazet@...il.com>,
	"Neil Horman" <nhorman@...driver.com>
Cc:	netdev@...r.kernel.org, davem@...emloft.net, kuznet@....inr.ac.ru,
	jmorris@...ei.org, yoshfuji@...ux-ipv6.org, kaber@...sh.net
Subject: Re: [PATCH] ipv4: remove ip_rt_secret timer (v2)


On Thu, 6 May 2010 17:08:05 -0400, Eric Dumazet wrote:

> Le jeudi 06 mai 2010 à 16:29 -0400, Neil Horman a écrit :
> > Version 2 of this patch, taking Erics comment about making the rt_genid non-zero
> > when a netns is created.  This makes sense, and helps prevent attackers from
> > guessing our initial secret value
> > 
> > 
> > 
> > A while back there was a discussion regarding the rt_secret_interval timer.
> > Given that we've had the ability to do emergency route cache rebuilds for awhile
> > now, based on a statistical anal> > cache, the use of the flush timer is somewhat redundant.  This patch removes the
> > rt_secret_interval sysctl, allowing us to rely solely on the statistical
> > analysis mechanism to determine the need for route cache flushes.
> > 
> > Signed-off-by: Neil Horman <nhorman@...driver.com>
> > 
> 
> > -
> > -static __net_init int rt_secret_timer_init(struct net *net)
> > +static __net_init int rt_genid_init(struct net *net)
> >  {
> > -	atomic_set(&net->ipv4.rt_genid,
> > -			(int) ((num_physpages ^ (num_physpages>>8)) ^
> > -			(jiffies ^ (jiffies >> 7))));
> > -
> 
> 
> > +	/*
> > +	 * This just serves to start off each new net namespace
> > +	 * with a non-zero rt_genid value, making it harder to guess
> > +	 */
> > +	rt_cache_invalidate(net);
> >  	return 0;
> >  }
> >  
> 
> I am _sorry_ to be such a paranoiac guy.
> 
Don't be sorry, I think your concern is valid, I just don't want to keep old code around when 
> Could you please feed more than 8 bits here ?
> 
> like :
> 
> get_random_bytes(&net->ipv4.rt_genid, sizeof(net->ipv4.rt_genid));
> 
Sure, I'm good with that. I'm not at my desk right now, but ill do that in the morning.

> There is no need to comment this in the code, this kind of rnd init is
> very common in net tree.
>
Ok, copy that, ill fix that up at the same time.  

Thanks & regards
Neil

> 
> 
> 
> 
> 

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ