lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 30 Apr 2021 13:53:29 -0400
From:   Matt Corallo <netdev-list@...tcorallo.com>
To:     Eric Dumazet <edumazet@...gle.com>
Cc:     Willy Tarreau <w@....eu>, "David S. Miller" <davem@...emloft.net>,
        netdev <netdev@...r.kernel.org>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Keyu Man <kman001@....edu>
Subject: Re: [PATCH net-next] Reduce IP_FRAG_TIME fragment-reassembly timeout
 to 1s, from 30s



On 4/30/21 13:49, Eric Dumazet wrote:
> On Fri, Apr 30, 2021 at 7:42 PM Matt Corallo
> <netdev-list@...tcorallo.com> wrote:
>> This was never about DDoS attacks - as noted several times this is about it being trivial to have all your fragments
>> blackholed for 30 seconds at a time just because you have some normal run-of-the-mill packet loss.
> 
> Again, it will be trivial to have a use case where valid fragments are dropped.
> 
> Random can be considered as the worst strategy in some cases.
> 
> Queue management can tail drop, head drop, random drop, there is no
> magical choice.

Glad we're on the same page :).

>>
>> I agree with you wholeheartedly that there isn't a solution to the DDoS attack issue, I'm not trying to address it. On
>> the other hand, in the face of no attacks or otherwise malicious behavior, I'd expect Linux to not exhibit the complete
>> blackholing of fragments that it does today.
> 
> Your expectations are unfortunately not something that linux can
> satisfy _automatically_,
> you have to tweak sysctls to tune _your_ workload.

Yep, totally agree, its an optimization question. We just have to decide on what the most reasonable use-case is that 
can be supported at low cost.

I'm still a little dubious that a constant picked some twenty years ago is still the best selection for an optimization 
question that is a function of real-world networks.

Buffer bloat exists, but so do networks that will happily drop 1Mbps of packets. The first has always been true, the 
second only more recently has become more and more common (both due to network speed and application behavior).

Thanks again for your time and consideration,
Matt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ