Re: Internet-Draft on Port Randomisation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Andi Kleen <andi@firstfloor.org>
To: David Miller <davem@davemloft.net>
Cc: andi@firstfloor.org, stephen.hemminger@vyatta.com,
	eugeneteo@kernel.sg, netdev@vger.kernel.org, eteo@redhat.com
Subject: Re: Internet-Draft on Port Randomisation
Date: Tue, 9 Sep 2008 22:11:33 +0200	[thread overview]
Message-ID: <20080909201133.GG7714@one.firstfloor.org> (raw)
In-Reply-To: <20080909.130424.170861701.davem@davemloft.net>

On Tue, Sep 09, 2008 at 01:04:24PM -0700, David Miller wrote:
> From: Andi Kleen <andi@firstfloor.org>
> Date: Tue, 09 Sep 2008 16:28:30 +0200
> 
> > [haven't read the draft] But you don't necessarily need a full global
> > lock for such a scheme. What works too is to access global state only
> > ever N accesses and pre-allocate a small range per CPU. While there's
> > still some global overhead then, it happens significantly less. My old
> > alternative ipid setup algorithm worked this way.
> 
> Should work well on a 64K cpu system.

If you make N large enough it can work with pretty much any number of CPUs. 
The main drawback is that it's losing random bits the larger N is, but then 
64k is not really remotely secure anyways.

Due to the later reason I doubt such a change is very interesting.
Also there's the issue on fully preemptible kernels.

If you wanted a more secure port space what would like make more 
sense is to use IPv6 and use e.g. 32bit out of the local network
address space for port randomization too.

-Andi
-- 
ak@linux.intel.com

     prev parent reply	other threads:[~2008-09-09 20:07 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-09  4:07 Internet-Draft on Port Randomisation Eugene Teo
2008-09-09  4:58 ` Stephen Hemminger
2008-09-09  6:31   ` Eugene Teo
2008-09-09 14:28   ` Andi Kleen
2008-09-09 20:04     ` David Miller
2008-09-09 20:11       ` Andi Kleen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080909201133.GG7714@one.firstfloor.org \
    --to=andi@firstfloor.org \
    --cc=davem@davemloft.net \
    --cc=eteo@redhat.com \
    --cc=eugeneteo@kernel.sg \
    --cc=netdev@vger.kernel.org \
    --cc=stephen.hemminger@vyatta.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.