lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4E28CFD1.2030504@gont.com.ar>
Date:	Thu, 21 Jul 2011 22:18:09 -0300
From:	Fernando Gont <fernando@...t.com.ar>
To:	Rick Jones <rick.jones2@...com>
CC:	David Miller <davem@...emloft.net>, eric.dumazet@...il.com,
	security@...nel.org, eugeneteo@...nel.sg, netdev@...r.kernel.org,
	mpm@...enic.com
Subject: Re: [PATCH net-next-2.6] ipv6: make fragment identifications less
 predictable

On 07/21/2011 09:34 PM, Rick Jones wrote:
>> That scenario assumes packet reordering and/or packet loss.
> 
> Isn't that a given?  

I mean that if these "collisions" of Identification numbers are of
concern, then, then, at such bandwidth rates, fragmentation itself would
be a concern.

Chances of collisions are proportional to reordering and losses. That
means that at such bandwidths, you'd need to be able to queue a huge
number of packets (which you might not be able to queue, becacuse of
lack of resources), etc.



> And indeed, fragmentation is considered bad, and was considered bad
> enough that the "revenge of the router guys" that is IPv6 punted it to
> the end systems, and yes, one should use PMTUD. Which is all well and
> good when 999 times out of 1 traffic is flowing over a transport that
> does its own segmentation and reassembly.  

And provided that there's no ICMPv6 filtering out there (which there is)
-- at which point you need to implement some for of blackhole detection
a la PLMPTUD.


> And when IPv6 got spec'ed it
> looked to all the world that UDP was on the way out - NFS was migrating
> over to TCP, and DNS was "never" more than 512 byte messages. No problem
> right?  But since then we've gotten things like EDNS which will be
> sending DNS messages in UDP datagrams that will have to be fragmented,
> PMTUD notwithstanding.

Hopefully you won't have the aforementioned 40GB traffic rate between
two DNS servers ;-)

Thanks,
-- 
Fernando Gont
e-mail: fernando@...t.com.ar || fgont@....org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ