lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 Aug 2014 12:35:59 -0700 From: Pravin Shelar <pshelar@...ira.com> To: David Miller <davem@...emloft.net> Cc: netdev <netdev@...r.kernel.org> Subject: Re: [GIT net-next] Open vSwitch On Sun, Aug 3, 2014 at 9:21 PM, David Miller <davem@...emloft.net> wrote: > From: Pravin Shelar <pshelar@...ira.com> > Date: Sun, 3 Aug 2014 12:20:32 -0700 > >> On Sat, Aug 2, 2014 at 3:16 PM, David Miller <davem@...emloft.net> wrote: >>> From: Pravin B Shelar <pshelar@...ira.com> >>> Date: Thu, 31 Jul 2014 16:57:37 -0700 >>> >>>> Following patch adds mask cache so that we do not need to iterate over >>>> all entries in mask list on every packet. We have seen good performance >>>> improvement with this patch. >>> >>> How much have you thought about the DoS'ability of openvswitch's >>> datastructures? >>> >> This cache is populated by flow lookup in fast path. The mask cache is >> fixed in size. Userspace or number of packets can not change its size. >> Memory is statically allocated, no garbage collection. So DoS attack >> can not exploit this cache to increase ovs memory footprint. > > An attacker can construct a packet sequence such that every mask cache > lookup misses, making the cache effectively useless. Yes, but it does work in normal traffic situations. I have posted performance numbers in the cover letter. Under DoS attack as you said attacker need to build sequence of packets to make cache ineffective. Which results in cache miss and a full in-kernel flow lookup. Therefore with this cache there is one more lookup done under DoS. But this is not very different than current OVS anyways. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists