From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state Date: Wed, 22 Aug 2018 21:43:13 -0700 (PDT) Message-ID: <20180822.214313.894090813136694354.davem@davemloft.net> References: <20180822203045.76928-1-edumazet@google.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, alexandg@cs.unm.edu, eric.dumazet@gmail.com To: edumazet@google.com Return-path: Received: from shards.monkeyblade.net ([23.128.96.9]:41636 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728158AbeHWILA (ORCPT ); Thu, 23 Aug 2018 04:11:00 -0400 In-Reply-To: <20180822203045.76928-1-edumazet@google.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Eric Dumazet Date: Wed, 22 Aug 2018 13:30:45 -0700 > tcp uses per-cpu (and per namespace) sockets (net->ipv4.tcp_sk) internally > to send some control packets. > > 1) RST packets, through tcp_v4_send_reset() > 2) ACK packets in SYN-RECV and TIME-WAIT state, through tcp_v4_send_ack() > > These packets assert IP_DF, and also use the hashed IP ident generator > to provide an IPv4 ID number. > > Geoff Alexander reported this could be used to build off-path attacks. > > These packets should not be fragmented, since their size is smaller than > IPV4_MIN_MTU. Only some tunneled paths could eventually have to fragment, > regardless of inner IPID. > > We really can use zero IPID, to address the flaw, and as a bonus, > avoid a couple of atomic operations in ip_idents_reserve() > > Signed-off-by: Eric Dumazet > Reported-by: Geoff Alexander > Tested-by: Geoff Alexander Applied and queued up for -stable.