tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: frag6: better limitation



Maxime Villard <max%m00nbsd.net@localhost> wrote:
> ...
> 
> I ended up writing this [1], without a lot of conviction, to say the
> truth. A per-src-IP policy is implemented: each sender is allowed to have
> a given number of fragments pending; beyond that limit, they get kicked.
> 
> ...
> 
> [1] http://m00nbsd.net/garbage/ip6/frag6.diff

So, you introduce another per-IP state and O(n) scan of the IP addresses?
What if the host receives an entire /64 subnet of spoofed packets?  Seems
to me that you would hit the same global limit, just wasting more memory
and CPU cycles.  I can see your desire to localise the IP fragmentation
attacks.  Perhaps it would make more sense to have it per-interface, but
I am not sure whether it is worth the complexity..

On a side note: the IPv4 and IPv6 reassembly logic is conceptually the
same.  Although they are implemented separately, sys/netinet/ip_reass.c
and sys/netinet6/frag6.c can generally be merged into one agnostic code.
Like a lot of the IPv4/IPv6 code, so that we have bugs in one place. :)
Just in case you might want to have a look into this, long time ago I
also wrote some testing code, see src/regress/sys/net/frag/ip4_frag_1.c .

-- 
Mindaugas


Home | Main Index | Thread Index | Old Index