Re: frag6: better limitation

To: David Brownlee <abs%netbsd.org@localhost>, Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Subject: Re: frag6: better limitation
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Fri, 2 Feb 2018 10:19:53 +0100

Le 31/01/2018 à 12:38, David Brownlee a écrit :

On 31 January 2018 at 08:46, Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:

On Wed, Jan 31, 2018 at 08:17:36AM +0100, Maxime Villard wrote:

[...]

My patch is useful only if you restrict addresses in the first place. In that
case there is only a limited number of craftable src addresses. Typically:

       wm0 [public side]: allow 10 IPv6 addresses
       wm1 [local side]:  allow everything


This seems to be a very specific and rare use case ...


Would a combination of global and a per interface limit handle most of
the cases without increased DoS risk?


Yes, probably. In fact, it would be a lot better if it was done in the
firewall directly.

References:
- frag6: better limitation
  - From: Maxime Villard
- Re: frag6: better limitation
  - From: Mindaugas Rasiukevicius
- Re: frag6: better limitation
  - From: Maxime Villard
- Re: frag6: better limitation
  - From: Manuel Bouyer
- Re: frag6: better limitation
  - From: David Brownlee

Prev by Date: Re: frag6: better limitation
Next by Date: AppleTalk
Previous by Thread: Re: frag6: better limitation
Next by Thread: network-related deadlock
Indexes:

Home | Main Index | Thread Index | Old Index