| To: | "David S. Miller" <davem@xxxxxxxxxxxxx> |
|---|---|
| Subject: | Re: [RFC/PATCH] "strict" ipv4 reassembly |
| From: | Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> |
| Date: | Wed, 18 May 2005 09:28:28 +1000 |
| Cc: | akepner@xxxxxxx, netdev@xxxxxxxxxxx, Alexey Kuznetsov <kuznet@xxxxxxxxxxxxx>, Patrick McHardy <kaber@xxxxxxxxx> |
| In-reply-to: | <20050517.161641.74747565.davem@xxxxxxxxxxxxx> |
| References: | <E1DYAHF-0006qW-00@xxxxxxxxxxxxxxxxxxxxxxxx> <20050517.151352.41634495.davem@xxxxxxxxxxxxx> <20050517230833.GA26604@xxxxxxxxxxxxxxxxxxx> <20050517.161641.74747565.davem@xxxxxxxxxxxxx> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
| User-agent: | Mutt/1.5.6+20040907i |
On Tue, May 17, 2005 at 04:16:41PM -0700, David S. Miller wrote: > > Good point, in both cases what ends up happening is that > the queue is invalidated. In the existing case it's usually > because the final UDP or whatever checksum doesn't pass. > With your idea it'd be due to the artificially deflated timeout. It just occured to me that the optimisation in IPv4/IPv6 that performs fragmentation after tunnel-mode IPsec is fundamentally broken. It makes IPsec vulnerable to fragmentation attacks. We have to perform fragmentation before tunnel-mode IPsec. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt |
| Previous by Date: | Re: [RFC/PATCH] "strict" ipv4 reassembly, Herbert Xu |
|---|---|
| Next by Date: | Re: [RFC/PATCH] "strict" ipv4 reassembly, Patrick McHardy |
| Previous by Thread: | Re: [RFC/PATCH] "strict" ipv4 reassembly, David S. Miller |
| Next by Thread: | Re: [RFC/PATCH] "strict" ipv4 reassembly, Patrick McHardy |
| Indexes: | [Date] [Thread] [Top] [All Lists] |