| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 31 May 2013 14:19:47 -0400
From: David Stevens <dlstevens@...ibm.com>
To: Stephen Hemminger <stephen@...workplumber.org>
Cc: netdev@...r.kernel.org, netdev-owner@...r.kernel.org
Subject: Re: RFC - VXLAN port range facility
Stephen Hemminger <stephen@...workplumber.org> wrote on 05/31/2013
01:22:33 PM:
> > Now, maybe it wouldn't kill performance, and so doing a bind/unbind
per
> > packet is still an option, but that would definitely hurt performance
> > for people who don't actually care about port entropy.
>
> What about a peek operation that just avoids existing ports.
That sounds like an excellent idea to me. But anything per-packet
interacting with other parts of the kernel has potential to be slow.
My concern there, if it is noticeably slower, is that someone who
doesn't need the entropy should not pay the penalty for it. So, if
whatever we do per-packet to ensure we're using unbound UDP ports
slows it down, I think we'd want a knob of some sort to allow just
using a pre-bound port or (smaller) set of ports, since those don't
require any per-packet checks.
But absolutely, if we just do the port lookup and rehash if
the port is in use, even without actually binding, I think that would
work well; we wouldn't cause any troubles for long-term UDP bound
sockets and other emphemeral ports can get stray traffic from prior
use already.
+-DLS
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists