> The IP id generation fix looks fine. The rest of it looks like sheer lunacy.
> The IP sequence number is a mere 16bits. The worst you can do by predicting
> it is to cause the odd packet to be lost. There is no real world evidence
> tht throwing that giant pile of code, and huge AVL tree into the kernel
> improves or fixes any kind of real world security issue.
My first diagnosis was almost exactly the same 8)8)
But then Andrey proved that it is really serious problem.
Essentially, the exploit is very simple: predictable ID allows
spoofer to detect situation, when kernel answers to source spoofed packet.
F.e. it opens nice and fast (64 packets!) way to complete
tcp connection with spoofed source. It is very serious hole.
> It adds some nice
> performance harming features to the kernel in the process.
No, the last version does not add any overhead.
Taking into account that linux had bad bug, requiring new lock
to generate id, it even reduces the overhead.
Actually, the only alternative is openbsd approach, which really
adds overhead.
Certainly, AVL is terrible but taking into account that size of database
may be huge, it is acceptable. Also, take into account that
the same code may be used to kill timewait state, so that it is pure winning.
Alexey
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/