[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: frag6: better limitation
Maxime Villard <max%m00nbsd.net@localhost> wrote:
> I ended up writing this , without a lot of conviction, to say the
> truth. A per-src-IP policy is implemented: each sender is allowed to have
> a given number of fragments pending; beyond that limit, they get kicked.
>  http://m00nbsd.net/garbage/ip6/frag6.diff
So, you introduce another per-IP state and O(n) scan of the IP addresses?
What if the host receives an entire /64 subnet of spoofed packets? Seems
to me that you would hit the same global limit, just wasting more memory
and CPU cycles. I can see your desire to localise the IP fragmentation
attacks. Perhaps it would make more sense to have it per-interface, but
I am not sure whether it is worth the complexity..
On a side note: the IPv4 and IPv6 reassembly logic is conceptually the
same. Although they are implemented separately, sys/netinet/ip_reass.c
and sys/netinet6/frag6.c can generally be merged into one agnostic code.
Like a lot of the IPv4/IPv6 code, so that we have bugs in one place. :)
Just in case you might want to have a look into this, long time ago I
also wrote some testing code, see src/regress/sys/net/frag/ip4_frag_1.c .
Main Index |
Thread Index |