netdev
[Top] [All Lists]

Re: [RFC/PATCH] "strict" ipv4 reassembly

To: "David S. Miller" <davem@xxxxxxxxxxxxx>
Subject: Re: [RFC/PATCH] "strict" ipv4 reassembly
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 18 May 2005 09:08:33 +1000
Cc: akepner@xxxxxxx, netdev@xxxxxxxxxxx
In-reply-to: <20050517.151352.41634495.davem@xxxxxxxxxxxxx>
References: <20050517.104947.112621738.davem@xxxxxxxxxxxxx> <E1DYAHF-0006qW-00@xxxxxxxxxxxxxxxxxxxxxxxx> <20050517.151352.41634495.davem@xxxxxxxxxxxxx>
Sender: netdev-bounce@xxxxxxxxxxx
User-agent: Mutt/1.5.6+20040907i
On Tue, May 17, 2005 at 03:13:52PM -0700, David S. Miller wrote:
> From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Date: Wed, 18 May 2005 08:11:01 +1000
> 
> > Instead of measuring the distance using time, let's measure it
> > in terms of packet counts.  So every time we receive a fragmented
> > packet, we find all waiting fragments with the same src/dst pair.
> > If the id is identical we perform reassembly, if it isn't we increase
> > a counter in that fragment.  If the counter exceeds a threshold,
> > we drop the fragment.
> 
> And you protect against purposefully built malicious fragments how?

Is it any worse than what we've got now?
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

<Prev in Thread] Current Thread [Next in Thread>