netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [RFC/PATCH] "strict" ipv4 reassembly

from [Rick Jones] [Permanent Link][Original]
To: netdev@xxxxxxxxxxx
Subject: Re: [RFC/PATCH] "strict" ipv4 reassembly
From: Rick Jones <rick.jones2@xxxxxx>
Date: Tue, 17 May 2005 15:23:49 -0700
Cc: netdev-bounce@xxxxxxxxxxx
In-reply-to: <20050517.151239.74747463.davem@davemloft.net>
References: <20050517202730.GA79960@muc.de> <20050517.140245.71090021.davem@davemloft.net> <428A613F.1020303@hp.com> <20050517.151239.74747463.davem@davemloft.net>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; HP-UX 9000/785; en-US; rv:1.6) Gecko/20040304
David S.Miller wrote: 
From: Rick Jones <rick.jones2@xxxxxx>
Date: Tue, 17 May 2005 14:25:19 -0700


just how much extra overhead would there be to track the interarrival time of ip datagram fragments and would that allow someone to make a guess as to how long to reasonably wait for all the fragments to arrive? (or did I miss that being shot-down already?) 


I spam you with fragments tightly interspaced matching a known
shost/dhost/ID tuple, lowering your interarrival estimate.  The
legitimate fragment source can thus never get his fragments in
before the timer expires.

Every other one of these IP fragmentation ideas tends to have
some DoS hole in it.

Are the holes any larger than the existing ones? I've no idea, and perhaps the only answer is indeed to say "Then don't do that (fragment)!"

rick jones

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [RFC/PATCH] "strict" ipv4 reassembly, Rick Jones
Next by Date:  Re: [RFC/PATCH] "strict" ipv4 reassembly, David Stevens
Previous by Thread:  Re: [RFC/PATCH] "strict" ipv4 reassembly, David S. Miller
Next by Thread:  Re: [RFC/PATCH] "strict" ipv4 reassembly, John Heffner
Indexes:  [Date] [Thread] [Top] [All Lists]