lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 21 Jul 2011 15:17:50 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	fernando@...t.com.ar
Cc:	eric.dumazet@...il.com, security@...nel.org, eugeneteo@...nel.sg,
	netdev@...r.kernel.org, mpm@...enic.com
Subject: Re: [PATCH net-next-2.6] ipv6: make fragment identifications less
 predictable

From: Fernando Gont <fernando@...t.com.ar>
Date: Wed, 20 Jul 2011 22:32:18 -0300

> Does it make sense to go in this direction rather than simply randomize
> the IPv6 Fragment Identification?

We could, but that's actually a bit more work.

You have to avoid recycling IDs to the same destination host otherwise
a retransmit could use the same ID and overlap with a previous set of
frags, causing corruption.

This means if you go the "pure random" route, you have to make sure
that the 32-bit series produced by the random number generator is
maximally long.  This is why openbsd uses an ID generator based upon
skip32 etc.

And I cannot say that about our RNG infrastructure.

Also, 32-bits seems like a lot, but on a 40Gb link we can exhaust this
space in ~20 minutes (1554 byte packet over standard ethernet MTU at
40Gbit is ~3454767 ipv6 frag IDs per second).  So while maybe not a
serious issue right now, we seem to go up by a factor of 10 every few
years, therefore at ~400Gb it's down to 2 minutes.

So we have to look at it like a constrained resource, and therefore
doing it on a per-destination basis like ipv4 makes a lot of sense.

I think Eric's work is the way forward and I'll be applying his patches.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ