lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20130828.182048.371311612380335945.davem@davemloft.net>
Date:	Wed, 28 Aug 2013 18:20:48 -0400 (EDT)
From:	David Miller <davem@...emloft.net>
To:	fw@...len.de
Cc:	netdev@...r.kernel.org, jbohac@...e.cz
Subject: Re: [PATCH 1/2] tcp: syncookies: reduce cookie lifetime to 128
 seconds

From: Florian Westphal <fw@...len.de>
Date: Sun, 25 Aug 2013 19:54:01 +0200

> We currently accept cookies that were created less than 4 minutes ago
> (ie, cookies with counter delta 0-3).  Combined with the 8 mss table
> values, this yields 32 possible values (out of 2**32) that will be valid.
> 
> Reducing the lifetime to < 2 minutes halves the guessing chance while
> still providing a large enough period (possible cookies are
> only validated if last synqueue overflow was less than 3 seconds ago).
> 
> While at it, get rid of jiffies value -- they overflow too quickly on
> 32 bit platforms.
> 
> getnstimeofday is used to create a counter that increments every 64s.
> 
> Reported-by: Jakob Lell <jakob@...oblell.com>
> Signed-off-by: Florian Westphal <fw@...len.de>

Moving from jiffies as a time seed to getnstimeofday() obviously will
have some performance impact, can you talk a little bit about that?


> +#define MAX_SYNCOOKIE_AGE 2 /* 128 seconds */

I'm sure you understand how 2 translates into 128 seconds in this syncookie
code, but I sure don't and the next person who reads this patch or this
code after I apply it may not either.

Could you in some way expose the calculation?  Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ