| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1422465891.2709.38.camel@decadent.org.uk>
Date: Wed, 28 Jan 2015 17:24:51 +0000
From: Ben Hutchings <ben@...adent.org.uk>
To: "Michael S. Tsirkin" <mst@...hat.com>
Cc: Hannes Frederic Sowa <hannes@...essinduktion.org>,
vyasevic@...hat.com, Vladislav Yasevich <vyasevich@...il.com>,
netdev@...r.kernel.org, virtualization@...ts.linux-foundation.org,
edumazet@...gle.com
Subject: Re: [PATCH 1/3] ipv6: Select fragment id during UFO/GSO
segmentation if not set.
On Wed, 2015-01-28 at 11:46 +0200, Michael S. Tsirkin wrote:
> On Wed, Jan 28, 2015 at 09:25:08AM +0100, Hannes Frederic Sowa wrote:
[...]
> > I see fragmentation id generation still as security critical:
> > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
> > identifiers less predictable") I could patch my kernels and use the
> > patch regardless of the machine being virtualized or not. It was not
> > dependent on the hypervisor.
>
> And now it's even easier - just patch the hypervisor, and all VMs
> automatically benefit.
[...]
You are advocating that the hypervisor should continue to act as a
middle-box that quietly modifies packets. This may be useful to protect
guests that have poor fragment ID generation, but then that should be an
optional netfilter module and *not* the default. The default should be
that UFO has no effect on the packet headers on the wire, and therefore
that the fragment ID is chosen by the IPv6 stack in the guest.
Ben.
--
Ben Hutchings
Teamwork is essential - it allows you to blame someone else.
Download attachment "signature.asc" of type "application/pgp-signature" (812 bytes)
Powered by blists - more mailing lists