| To: | Patrick McHardy <kaber@xxxxxxxxx> |
|---|---|
| Subject: | Re: [RFC/PATCH] "strict" ipv4 reassembly |
| From: | Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> |
| Date: | Wed, 18 May 2005 09:41:58 +1000 |
| Cc: | "David S. Miller" <davem@xxxxxxxxxxxxx>, akepner@xxxxxxx, netdev@xxxxxxxxxxx, Alexey Kuznetsov <kuznet@xxxxxxxxxxxxx> |
| In-reply-to: | <428A800F.6040809@xxxxxxxxx> |
| References: | <E1DYAHF-0006qW-00@xxxxxxxxxxxxxxxxxxxxxxxx> <20050517.151352.41634495.davem@xxxxxxxxxxxxx> <20050517230833.GA26604@xxxxxxxxxxxxxxxxxxx> <20050517.161641.74747565.davem@xxxxxxxxxxxxx> <20050517232828.GA26894@xxxxxxxxxxxxxxxxxxx> <428A800F.6040809@xxxxxxxxx> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
| User-agent: | Mutt/1.5.6+20040907i |
On Wed, May 18, 2005 at 01:36:47AM +0200, Patrick McHardy wrote: > > You mean vulnerable at reassembly time? Isn't that something reassembly > and policy checks should take care of? I mean that it's vulnerable to the following simple DoS attack by someone who doesn't otherwise have the capability to drop the packets between the source and the target. If the IPsec packets arrive as fragments, the attacker only needs to guess the identity to cause the entire IPsec packet to be dropped. If it was fragmented prior to IPsec it would not be vulnerable to this. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt |
| Previous by Date: | Re: [RFC/PATCH] "strict" ipv4 reassembly, Patrick McHardy |
|---|---|
| Next by Date: | Re: [RFC/PATCH] "strict" ipv4 reassembly, Rick Jones |
| Previous by Thread: | Re: [RFC/PATCH] "strict" ipv4 reassembly, Patrick McHardy |
| Next by Thread: | Re: [RFC/PATCH] "strict" ipv4 reassembly, Thomas Graf |
| Indexes: | [Date] [Thread] [Top] [All Lists] |