lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20120913.170246.810763209248388292.davem@davemloft.net>
Date:	Thu, 13 Sep 2012 17:02:46 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	eric.dumazet@...il.com
Cc:	netdev@...r.kernel.org, lorenzo@...gle.com, maze@...gle.com,
	therbert@...gle.com
Subject: Re: [PATCH net-next 2/2] ipv6: dont cache cloned routes

From: Eric Dumazet <eric.dumazet@...il.com>
Date: Wed, 12 Sep 2012 14:01:47 +0200

> From: Eric Dumazet <edumazet@...gle.com>
> 
> We can now destroy cloned routes immediately from dst_release() instead
> of depending on garbage collection.
> 
> Set DST_NOCACHE in rt6_alloc_clone() so that :
> 
> 1) we avoid calling ip6_ins_rt() on such routes
> 
> 2) dst_release() can call destroy when refcount becomes 0
> 
> This allows machines to resist to DDOS.
> 
> Reported-by: Lorenzo Colitti <lorenzo@...gle.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Maciej Żenczykowski <maze@...gle.com>
> Cc: Tom Herbert <therbert@...gle.com>

This current behavior is very much intentional and cannot be removed
so trivially.  The scope of this change is much wider than some DDOS
test.

This change is the moral equivalent of the ipv4 routing cache removal,
but we have not done anything to compensate for the resulting ipv6
performance loss as the routing cache removal changes did.

The insertion of ipv6 route clones into the tree is how the ipv6 code
caches routes.

The only legitimate way to make this change is to revamp ipv6 route
handling properly like we did for ipv4.

This means making it such that, when legitimate, prefixed routes found
directly into the route tree are used directly.

To achieve this you need to:

1) Convert ipv6 to do ref-count-less neighbour handling and not cache
   neighbours in the ipv6 routes, instead doing the lookup on demand
   in ip6_output as we do on the ipv4 side.

2) Stop caching inetpeers in the ipv6 routes.

3) Make ipv6 in-route metrics read-only, again as we already do in
   ipv4.

And so on and so forth, until direct use of prefixed ipv6 routes is
possible.

I really can't even remotely entertain applying this patch, sorry.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ