From: Stephen Hemminger <shemminger@vyatta.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>, netdev@vger.kernel.org
Subject: Re: GTSM and TCP accept problem
Date: Wed, 18 Aug 2010 14:39:13 -0700 [thread overview]
Message-ID: <20100818143913.1478acea@nehalam> (raw)
In-Reply-To: <1281951825.2524.5.camel@edumazet-laptop>
On Mon, 16 Aug 2010 11:43:45 +0200
Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le samedi 14 août 2010 à 21:46 -0400, Stephen Hemminger a écrit :
> > The implementation of Generalized TTL Security has a problem
> > on the TCP accept side. Since there can be different number of
> > hops for each peer, the listener ends up doing
> >
> > socket
> > bind
> > set TTL to 255
> > listen
> > while (nfd = accept(peer)) {
> > info = lookup(peer)
> > set MINTTL to 255 - info->ttl_hops
> >
> >
> > The problem is that a rogue peer can still do three way
> > handshake causing the accept to succeed. But the rogue will
> > leave a stuck connection that will then have to timeout.
> >
> > The only ways I have come up to deal with this are:
> > * have short timeout on initial data (recycle faster)
> > * push peer;MINTTL table down into kernel (per socket)
> > * have BGP do this through iptables which is a non-starter
> > for a general application that needs to run on BSD, and
> > would mess up existing firewall rules.
> >
> > Ideas welcome..
> > --
>
> Another idea would be to store the TTL of the SYN packet (or third
> packet) and let application read it after accept(), allowing it to
> reject the connection if it doesnt match expected TTL.
could be in tcp_info?
--
next prev parent reply other threads:[~2010-08-18 21:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-15 1:46 GTSM and TCP accept problem Stephen Hemminger
2010-08-15 5:12 ` David Miller
2010-08-15 16:38 ` Stephen Hemminger
2010-08-16 9:43 ` Eric Dumazet
2010-08-18 21:39 ` Stephen Hemminger [this message]
2010-08-18 21:48 ` David Miller
2011-10-03 1:46 ` venkatesh natarajan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100818143913.1478acea@nehalam \
--to=shemminger@vyatta.com \
--cc=eric.dumazet@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).