| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1395261524.9114.60.camel@edumazet-glaptop2.roam.corp.google.com> Date: Wed, 19 Mar 2014 13:38:44 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: Florian Westphal <fw@...len.de> Cc: netdev@...r.kernel.org Subject: Re: [PATCH v3 -next 1/2] tcp: syncookies: reduce cookie lifetime to 128 seconds On Fri, 2013-09-20 at 22:32 +0200, Florian Westphal wrote: > We currently accept cookies that were created less than 4 minutes ago > (ie, cookies with counter delta 0-3). Combined with the 8 mss table > values, this yields 32 possible values (out of 2**32) that will be valid. > > Reducing the lifetime to < 2 minutes halves the guessing chance while > still providing a large enough period. > > While at it, get rid of jiffies value -- they overflow too quickly on > 32 bit platforms. > > getnstimeofday is used to create a counter that increments every 64s. > perf shows getnstimeofday cost is negible compared to sha_transform; > normal tcp initial sequence number generation uses getnstimeofday, too. The getnstimeofday() cost is about 40 cycles if TSC is used, but if this source is not available and hpet is used, it is more 1600 cycles ... I'll send a patch to use local_clock() instead (26 to 30 cycles) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists