lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20140601.190147.889157989845313443.davem@davemloft.net>
Date:	Sun, 01 Jun 2014 19:01:47 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	eric.dumazet@...il.com
Cc:	netdev@...r.kernel.org
Subject: Re: [PATCH v1 net-next] inetpeer: get rid of ip_id_count

From: Eric Dumazet <eric.dumazet@...il.com>
Date: Sun, 01 Jun 2014 17:18:04 -0700

> From: Eric Dumazet <edumazet@...gle.com>
> 
> Ideally, we would need to generate IP ID using a per destination IP
> generator.
> 
> linux kernels used inet_peer cache for this purpose, but this had a huge
> cost on servers disabling MTU discovery.
> 
> 1) each inet_peer struct consumes 192 bytes
> 
> 2) inetpeer cache uses a binary tree of inet_peer structs,
>    with a nominal size of ~66000 elements under load.
> 
> 3) lookups in this tree are hitting a lot of cache lines, as tree depth
>    is about 20.
> 
> 4) If server deals with many tcp flows, we have a high probability of
>    not finding the inet_peer, allocating a fresh one, inserting it in
>    the tree with same initial ip_id_count, (cf secure_ip_id())
> 
> 5) We garbage collect inet_peer aggressively.
> 
> IP ID generation do not have to be 'perfect'
> 
> Goal is trying to avoid duplicates in a short period of time,
> so that reassembly units have a chance to complete reassembly of
> fragments belonging to one message before receiving other fragments
> with a recycled ID.
> 
> We simply use an array of generators, and a Jenkin hash using the dst IP
> as a key.
> 
> ipv6_select_ident() is put back into net/ipv6/ip6_output.c where it
> belongs (it is only used from this file)
> 
> secure_ip_id() and secure_ipv6_id() no longer are needed.
> 
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> ---
> Note: Based on current net-next, but needs a respin or merge resolution
> after other patch [1] is merged.

I like it.

I think we should get rid of the 'dst' argument from __ip_select_ident() (and thus
ip_select_ident() and ip_select_ident_mode()), it is completely unused.

It might even help to do so for ipv6_select_ident(), having it just pass the
dest addr pointer in instead.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ