From: Stephen Hemminger <shemminger@vyatta•com>
To: Pekka Savola <pekkas@netcore•fi>
Cc: David Miller <davem@davemloft•net>, netdev@vger•kernel.org
Subject: Re: [PATCH] tcp: Generalized TTL Security Mechanism
Date: Thu, 18 Mar 2010 10:59:39 -0700 [thread overview]
Message-ID: <20100318105939.57f8d377@nehalam> (raw)
In-Reply-To: <alpine.LRH.2.00.1003180833420.24946@netcore.fi>
On Thu, 18 Mar 2010 08:36:48 +0200 (EET)
Pekka Savola <pekkas@netcore•fi> wrote:
> Hi,
>
> On Sun, 10 Jan 2010, Stephen Hemminger wrote:
> > This patch adds the kernel portions needed to implement
> > RFC 5082 Generalized TTL Security Mechanism (GTSM).
> > It is a lightweight security measure against forged
> > packets causing DoS attacks (for BGP).
> ...
>
> It's nice to see this added. However, I must add that a compliant RFC
> 5082 implementation is required to have similar TTL treatment for ICMP
> errors which relate to the protected session. AFAIK this does not
> support that.
>
> The experimental, earlier spec (GTSH, RFC3682) did not have this
> requirement. Most if not all implementations support only GTSH mode.
> So a backward-compatibility option may be desirable.
The ICMP receive error handling does need to be updated.
But any application using GTSM should be setting IP_TTL socket option
to set send TTL. But, not sure if Linux TCP ever sends ICMP
for existing sessions at all.
next prev parent reply other threads:[~2010-03-18 17:59 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-11 6:00 [PATCH] tcp: Generalized TTL Security Mechanism Stephen Hemminger
2010-01-11 11:25 ` Eric Dumazet
[not found] ` <4B4B0AA3.6010207-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-01-11 16:25 ` Stephen Hemminger
2010-01-11 17:04 ` Eric Dumazet
2010-01-11 17:10 ` Eric Dumazet
[not found] ` <4B4B5B84.3090409-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-01-12 0:27 ` David Miller
2010-01-12 0:28 ` David Miller
2010-01-14 10:58 ` Andi Kleen
[not found] ` <873a29eywq.fsf-3rXA9MLqAseW/qJFnhkgxti2O/JbrIOy@public.gmane.org>
2010-01-14 11:04 ` David Miller
[not found] ` <20100114.030454.16178889.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2010-01-14 11:22 ` Andi Kleen
[not found] ` <20100114112216.GK12241-u0/ZJuX+froe6aEkudXLsA@public.gmane.org>
2010-01-14 11:27 ` David Miller
2010-01-14 12:38 ` William Allen Simpson
[not found] ` <4B4F1044.8080500-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2010-01-14 13:14 ` Eric Dumazet
2010-03-18 6:36 ` Pekka Savola
2010-03-18 17:59 ` Stephen Hemminger [this message]
2010-03-19 7:58 ` Pekka Savola
2010-03-19 8:21 ` Eric Dumazet
2010-03-19 8:28 ` Pekka Savola
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100318105939.57f8d377@nehalam \
--to=shemminger@vyatta$(echo .)com \
--cc=davem@davemloft$(echo .)net \
--cc=netdev@vger$(echo .)kernel.org \
--cc=pekkas@netcore$(echo .)fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox