netdev
[Top] [All Lists]

Re: [RFC/PATCH] "strict" ipv4 reassembly

To: netdev@xxxxxxxxxxx
Subject: Re: [RFC/PATCH] "strict" ipv4 reassembly
From: Rick Jones <rick.jones2@xxxxxx>
Date: Tue, 17 May 2005 15:23:49 -0700
Cc: netdev-bounce@xxxxxxxxxxx
In-reply-to: <20050517.151239.74747463.davem@davemloft.net>
References: <20050517202730.GA79960@muc.de> <20050517.140245.71090021.davem@davemloft.net> <428A613F.1020303@hp.com> <20050517.151239.74747463.davem@davemloft.net>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; HP-UX 9000/785; en-US; rv:1.6) Gecko/20040304
David S.Miller wrote:
From: Rick Jones <rick.jones2@xxxxxx>
Date: Tue, 17 May 2005 14:25:19 -0700


just how much extra overhead would there be to track the interarrival time of ip datagram fragments and would that allow someone to make a guess as to how long to reasonably wait for all the fragments to arrive? (or did I miss that being shot-down already?)


I spam you with fragments tightly interspaced matching a known
shost/dhost/ID tuple, lowering your interarrival estimate.  The
legitimate fragment source can thus never get his fragments in
before the timer expires.

Every other one of these IP fragmentation ideas tends to have
some DoS hole in it.

Are the holes any larger than the existing ones? I've no idea, and perhaps the only answer is indeed to say "Then don't do that (fragment)!"


rick jones

<Prev in Thread] Current Thread [Next in Thread>