lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20150730.161338.130333553135883566.davem@davemloft.net>
Date:	Thu, 30 Jul 2015 16:13:38 -0700 (PDT)
From:	David Miller <davem@...emloft.net>
To:	tom@...bertland.com
Cc:	netdev@...r.kernel.org, kernel-team@...com
Subject: Re: [PATCH net-next 0/3] ipv6: Turn on auto IPv6 flow labels by
 default

From: Tom Herbert <tom@...bertland.com>
Date: Thu, 30 Jul 2015 09:54:19 -0700

> BSD (MacOS) has already turned on flow labels by default and this does
> not seem to be causing any problems in the Internet. Let's go ahead
> and turn them on by default. We'll continue to monitor for any devices
> start choking on them.
> 
> Flow labels are important since they are the desired solution for
> network devices to perform ECMP and RSS (RFC6437 and RFC6438).
> Traditionally, devices perform a 5-tuple hash on packets that
> includes port numbers. For the most part, these devices can only
> compute 5-tuple hashes for TCP and UDP. This severely limits our ability
> to get good network load balancing for other protocols (IPIP, GRE,ESP,
> etc.), and hence we are limited in using other protocols. Unfortunately,
> this method is accepted as the de facto standard to the extent that
> there are several proposals to encapsulate protocols in UDP _just_ for
> the purposes for getting ECMP to work. With hosts generating flow labels
> and devices taking them as input into ECMP (several already do), we can
> start to fix this fundamental problem. 
> 
> This patch set:
>  - Changes IPV6_FLOWINFO sockopt to be opt-out of flow labels for
>    connections rather than opt-in
>  - Disable flow label state ranges sysctl by default
>  - Enable auto flow labels sysctl by default

I am pretty sure administrators are going to want a way to enforce that
all applications must use flow labels.

So can you add a third mode that turns on auto-flow-label, but
disallows the application level opt-out?

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ