From: Eric Dumazet <eric.dumazet@gmail.com>
To: Shawn Lu <shawn.lu@ericsson.com>
Cc: davem@davemloft.net, netdev@vger.kernel.org, xiaoclu@gmail.com
Subject: Re: [PATCH] tcp: md5: fix md5 RST when both sides have listener
Date: Wed, 01 Feb 2012 05:08:33 +0100 [thread overview]
Message-ID: <1328069313.2617.15.camel@edumazet-laptop> (raw)
In-Reply-To: <1328057424-11962-2-git-send-email-shawn.lu@ericsson.com>
Le mardi 31 janvier 2012 à 16:50 -0800, Shawn Lu a écrit :
> TCP RST mechanism is broken in TCP md5(RFC2385). When
> connection is gone, md5 key is lost, sending RST
> without md5 hash is deem to ignored by peer. This can
> be a problem since RST help protocal like bgp to fast
> recove from peer crash.
>
> In most case, users of tcp md5, such as bgp and ldp,
> have listeners on both sides. md5 keys for peers are
> saved in listening socket. When passive side connection
> is gone, we can still get md5 key from listening socket.
> When active side of connection is gone, we can try to
> find listening socket through source port, and then md5
> key.
> we are not loosing sercuriy here:
> packet is valified checked with md5 hash. No RST is generated
> if md5 hash doesn't match or no md5 key can be found.
>
> Signed-off-by: Shawn Lu <shawn.lu@ericsson.com>
> ---
> net/ipv4/tcp_ipv4.c | 45 ++++++++++++++++++++++++++++++++++++++++++---
> net/ipv6/tcp_ipv6.c | 43 +++++++++++++++++++++++++++++++++++++++++--
> 2 files changed, 83 insertions(+), 5 deletions(-)
>
Hmm, ok but using RCU for the md5 lookup (instead of mere sock lock as
done today) also means we need to protect struct tcp_md5sig_info itself
I send a patch for this in a separate patch first, then David can apply
your patch when I add my "Signed-off-by: ..."
next prev parent reply other threads:[~2012-02-01 4:08 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-01 0:50 (unknown), Shawn Lu
2012-02-01 0:50 ` [PATCH] tcp: md5: fix md5 RST when both sides have listener Shawn Lu
2012-02-01 4:08 ` Eric Dumazet [this message]
2012-02-01 4:45 ` [PATCH net-next] tcp: md5: protects md5sig_info with RCU Eric Dumazet
2012-02-01 7:18 ` David Miller
[not found] <RE: [PATCH] tcp: md5: fix md5 RST when both sides have listener>
2012-01-31 23:53 ` [PATCH] tcp: md5: fix md5 RST when both sides have listener Shawn Lu
2012-02-01 5:09 ` Eric Dumazet
2012-02-01 7:48 ` Shawn Lu
2012-02-01 7:53 ` Eric Dumazet
2012-02-01 8:11 ` Shawn Lu
2012-02-01 9:25 ` Eric Dumazet
-- strict thread matches above, loose matches on Subject: below --
2012-01-31 2:07 Shawn Lu
2012-01-31 2:16 ` Eric Dumazet
2012-01-31 2:37 ` Shawn Lu
2012-01-31 8:39 ` Shawn Lu
2012-01-31 9:05 ` Eric Dumazet
2012-01-31 13:33 ` Eric Dumazet
2012-01-31 18:15 ` Shawn Lu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1328069313.2617.15.camel@edumazet-laptop \
--to=eric.dumazet@gmail.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=shawn.lu@ericsson.com \
--cc=xiaoclu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox