lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20140602.110115.9273219328433110.davem@davemloft.net>
Date:	Mon, 02 Jun 2014 11:01:15 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	eric.dumazet@...il.com
Cc:	netdev@...r.kernel.org
Subject: Re: [PATCH v2 net-next] inetpeer: get rid of ip_id_count

From: Eric Dumazet <eric.dumazet@...il.com>
Date: Mon, 02 Jun 2014 05:26:03 -0700

> From: Eric Dumazet <edumazet@...gle.com>
> 
> Ideally, we would need to generate IP ID using a per destination IP
> generator.
> 
> linux kernels used inet_peer cache for this purpose, but this had a huge
> cost on servers disabling MTU discovery.
> 
> 1) each inet_peer struct consumes 192 bytes
> 
> 2) inetpeer cache uses a binary tree of inet_peer structs,
>    with a nominal size of ~66000 elements under load.
> 
> 3) lookups in this tree are hitting a lot of cache lines, as tree depth
>    is about 20.
> 
> 4) If server deals with many tcp flows, we have a high probability of
>    not finding the inet_peer, allocating a fresh one, inserting it in
>    the tree with same initial ip_id_count, (cf secure_ip_id())
> 
> 5) We garbage collect inet_peer aggressively.
> 
> IP ID generation do not have to be 'perfect'
> 
> Goal is trying to avoid duplicates in a short period of time,
> so that reassembly units have a chance to complete reassembly of
> fragments belonging to one message before receiving other fragments
> with a recycled ID.
> 
> We simply use an array of generators, and a Jenkin hash using the dst IP
> as a key.
> 
> ipv6_select_ident() is put back into net/ipv6/ip6_output.c where it
> belongs (it is only used from this file)
> 
> secure_ip_id() and secure_ipv6_id() no longer are needed.
> 
> Rename ip_select_ident_more() to ip_select_ident_segs() to avoid
> unnecessary decrement/increment of the number of segments.
> 
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>

Applied, thanks Eric.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ