| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Aug 2013 18:20:48 -0400 (EDT) From: David Miller <davem@...emloft.net> To: fw@...len.de Cc: netdev@...r.kernel.org, jbohac@...e.cz Subject: Re: [PATCH 1/2] tcp: syncookies: reduce cookie lifetime to 128 seconds From: Florian Westphal <fw@...len.de> Date: Sun, 25 Aug 2013 19:54:01 +0200 > We currently accept cookies that were created less than 4 minutes ago > (ie, cookies with counter delta 0-3). Combined with the 8 mss table > values, this yields 32 possible values (out of 2**32) that will be valid. > > Reducing the lifetime to < 2 minutes halves the guessing chance while > still providing a large enough period (possible cookies are > only validated if last synqueue overflow was less than 3 seconds ago). > > While at it, get rid of jiffies value -- they overflow too quickly on > 32 bit platforms. > > getnstimeofday is used to create a counter that increments every 64s. > > Reported-by: Jakob Lell <jakob@...oblell.com> > Signed-off-by: Florian Westphal <fw@...len.de> Moving from jiffies as a time seed to getnstimeofday() obviously will have some performance impact, can you talk a little bit about that? > +#define MAX_SYNCOOKIE_AGE 2 /* 128 seconds */ I'm sure you understand how 2 translates into 128 seconds in this syncookie code, but I sure don't and the next person who reads this patch or this code after I apply it may not either. Could you in some way expose the calculation? Thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists