| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Jul 2011 10:25:27 +0200 From: Eric Dumazet <eric.dumazet@...il.com> To: Fernando Gont <fernando@...t.com.ar>, David Miller <davem@...emloft.net> Cc: security@...nel.org, Eugene Teo <eugeneteo@...nel.sg>, netdev <netdev@...r.kernel.org>, Matt Mackall <mpm@...enic.com> Subject: Re: [PATCH net-next-2.6] ipv6: make fragment identifications less predictable Le mardi 19 juillet 2011 à 22:47 +0200, Eric Dumazet a écrit : > IPv6 fragment identification generation is way beyond what we use for > IPv4 : It uses a single generator. Its not scalable and allows DOS > attacks. > > Now inetpeer is IPv6 aware, we can use it to provide a more secure and > scalable frag ident generator (per destination, instead of system wide) > > This patch : > 1) defines a new secure_ipv6_id() helper > 2) extends inet_getid() to provide 32bit results > 3) extends ipv6_select_ident() with a new dest parameter > > Reported-by: Fernando Gont <fernando@...t.com.ar> > CC: Matt Mackall <mpm@...enic.com> > CC: Eugene Teo <eugeneteo@...nel.sg> > Signed-off-by: Eric Dumazet <eric.dumazet@...il.com> > --- Please hold on, I'll make a different patch series to ease stable teams job. It appears inetpeer & ipv6 are really not an option for old kernels. Common patch for all kernels : 1) Fix the problem without inetpeer help --- Patches for next kernels 2) random split as suggested by Matt Mackal 3) Use inetpeer cache to scale identification generation -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists