From: Stephen Hemminger <shemminger@vyatta.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>, netdev@vger.kernel.org
Subject: Re: GTSM and TCP accept problem
Date: Wed, 18 Aug 2010 14:39:13 -0700 [thread overview]
Message-ID: <20100818143913.1478acea@nehalam> (raw)
In-Reply-To: <1281951825.2524.5.camel@edumazet-laptop>
On Mon, 16 Aug 2010 11:43:45 +0200
Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le samedi 14 août 2010 à 21:46 -0400, Stephen Hemminger a écrit :
> > The implementation of Generalized TTL Security has a problem
> > on the TCP accept side. Since there can be different number of
> > hops for each peer, the listener ends up doing
> >
> > socket
> > bind
> > set TTL to 255
> > listen
> > while (nfd = accept(peer)) {
> > info = lookup(peer)
> > set MINTTL to 255 - info->ttl_hops
> >
> >
> > The problem is that a rogue peer can still do three way
> > handshake causing the accept to succeed. But the rogue will
> > leave a stuck connection that will then have to timeout.
> >
> > The only ways I have come up to deal with this are:
> > * have short timeout on initial data (recycle faster)
> > * push peer;MINTTL table down into kernel (per socket)
> > * have BGP do this through iptables which is a non-starter
> > for a general application that needs to run on BSD, and
> > would mess up existing firewall rules.
> >
> > Ideas welcome..
> > --
>
> Another idea would be to store the TTL of the SYN packet (or third
> packet) and let application read it after accept(), allowing it to
> reject the connection if it doesnt match expected TTL.
could be in tcp_info?
--
next prev parent reply other threads:[~2010-08-18 21:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-15 1:46 GTSM and TCP accept problem Stephen Hemminger
2010-08-15 5:12 ` David Miller
2010-08-15 16:38 ` Stephen Hemminger
2010-08-16 9:43 ` Eric Dumazet
2010-08-18 21:39 ` Stephen Hemminger [this message]
2010-08-18 21:48 ` David Miller
2011-10-03 1:46 ` venkatesh natarajan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100818143913.1478acea@nehalam \
--to=shemminger@vyatta.com \
--cc=eric.dumazet@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.