| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160318080528.GK3347@gauss.secunet.com> Date: Fri, 18 Mar 2016 09:05:28 +0100 From: Steffen Klassert <steffen.klassert@...unet.com> To: Herbert Xu <herbert@...dor.apana.org.au> CC: Jiri Bohac <jbohac@...e.cz>, "David S. Miller" <davem@...emloft.net>, <netdev@...r.kernel.org> Subject: Re: [PATCH] xfrm: don't segment UFO packets On Fri, Mar 18, 2016 at 10:36:53AM +0800, Herbert Xu wrote: > On Thu, Mar 17, 2016 at 06:08:55PM +0100, Jiri Bohac wrote: > > On Thu, Mar 17, 2016 at 11:24:59AM +0100, Steffen Klassert wrote: > > > In IPv6 this check is missing, so this could be the > > > problem if this is IPv6. > > > > indeed, this patch also fixes my problem: > > Hmm, is this what you really want? If I understood you correctly, > you want the fragmentation to occur after IPsec. The main problem was probably that UFO handling does not work at all on IPv6 IPsec. > So while this > might generate the same output, it is still going to prefragment > the data, only to merge them back for IPsec and then refragment > again. This is far away from being optimal, but this is what usually happens if a local application sends data that we need to fragment. We currently work on avoiding the linearization on IPsec, but having a skb with a fraglist is really the worst case.
Powered by blists - more mailing lists