Re: frag6: better limitation

To: Maxime Villard <max%m00nbsd.net@localhost>
Subject: Re: frag6: better limitation
From: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Date: Mon, 29 Jan 2018 22:54:52 +0000

Maxime Villard <max%m00nbsd.net@localhost> wrote:
> ...
> 
> I ended up writing this [1], without a lot of conviction, to say the
> truth. A per-src-IP policy is implemented: each sender is allowed to have
> a given number of fragments pending; beyond that limit, they get kicked.
> 
> ...
> 
> [1] http://m00nbsd.net/garbage/ip6/frag6.diff

So, you introduce another per-IP state and O(n) scan of the IP addresses?
What if the host receives an entire /64 subnet of spoofed packets?  Seems
to me that you would hit the same global limit, just wasting more memory
and CPU cycles.  I can see your desire to localise the IP fragmentation
attacks.  Perhaps it would make more sense to have it per-interface, but
I am not sure whether it is worth the complexity..

On a side note: the IPv4 and IPv6 reassembly logic is conceptually the
same.  Although they are implemented separately, sys/netinet/ip_reass.c
and sys/netinet6/frag6.c can generally be merged into one agnostic code.
Like a lot of the IPv4/IPv6 code, so that we have bugs in one place. :)
Just in case you might want to have a look into this, long time ago I
also wrote some testing code, see src/regress/sys/net/frag/ip4_frag_1.c .

-- 
Mindaugas

Follow-Ups:
- Re: frag6: better limitation
  - From: Maxime Villard

References:
- frag6: better limitation
  - From: Maxime Villard

Prev by Date: Re: network-related deadlock
Next by Date: Re: network-related deadlock
Previous by Thread: Re: frag6: better limitation
Next by Thread: Re: frag6: better limitation
Indexes:

Home | Main Index | Thread Index | Old Index