From: Willy Tarreau <w@1wt.eu>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Netdev <netdev@vger.kernel.org>,
David Miller <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Moshe Kol <moshe.kol@mail.huji.ac.il>,
Yossi Gilad <yossi.gilad@mail.huji.ac.il>,
Amit Klein <aksecurity@gmail.com>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 net 3/7] tcp: resalt the secret every 10 seconds
Date: Fri, 29 Apr 2022 17:30:50 +0200 [thread overview]
Message-ID: <20220429153050.GD11224@1wt.eu> (raw)
In-Reply-To: <CAHmME9pYj85hCS0=37+XsaJSgNXoJ96N6TdiJ9TWBYTXQx0LAA@mail.gmail.com>
On Fri, Apr 29, 2022 at 04:48:52PM +0200, Jason A. Donenfeld wrote:
> On Thu, Apr 28, 2022 at 2:40 PM Willy Tarreau <w@1wt.eu> wrote:
> > @@ -101,10 +103,12 @@ u64 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
> > struct in6_addr saddr;
> > struct in6_addr daddr;
> > __be16 dport;
> > + unsigned int timeseed;
>
> Also, does the struct packing (or lack thereof) lead to problems here?
> Uninitialized bytes might not make a stable hash.
Hmmm, I didn't notice, and I think you're right indeed. I did test in IPv6
without noticing any problem but it doesn't mean that the hash is perfectly
stable.
I'll send an update for this one, thank you!
Willy
next prev parent reply other threads:[~2022-04-29 15:31 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-28 12:39 [PATCH v2 net 0/7] insufficient TCP source port randomness Willy Tarreau
2022-04-28 12:39 ` [PATCH v2 net 1/7] secure_seq: use the 64 bits of the siphash for port offset calculation Willy Tarreau
2022-04-29 14:38 ` Jason A. Donenfeld
2022-04-28 12:39 ` [PATCH v2 net 2/7] tcp: use different parts of the port_offset for index and offset Willy Tarreau
2022-04-28 12:39 ` [PATCH v2 net 3/7] tcp: resalt the secret every 10 seconds Willy Tarreau
2022-04-29 14:37 ` Jason A. Donenfeld
2022-04-29 15:29 ` Willy Tarreau
2022-04-29 14:48 ` Jason A. Donenfeld
2022-04-29 15:30 ` Willy Tarreau [this message]
2022-04-28 12:39 ` [PATCH v2 net 4/7] tcp: add small random increments to the source port Willy Tarreau
2022-04-28 12:39 ` [PATCH v2 net 5/7] tcp: dynamically allocate the perturb table used by source ports Willy Tarreau
2022-04-28 12:40 ` [PATCH v2 net 6/7] tcp: increase source port perturb table to 2^16 Willy Tarreau
2022-04-28 12:40 ` [PATCH v2 net 7/7] tcp: drop the hash_32() part from the index calculation Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220429153050.GD11224@1wt.eu \
--to=w@1wt.eu \
--cc=Jason@zx2c4.com \
--cc=aksecurity@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=moshe.kol@mail.huji.ac.il \
--cc=netdev@vger.kernel.org \
--cc=yossi.gilad@mail.huji.ac.il \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).