ipv6: make fragment identifications less predictable
IPv6 fragment identification generation is way beyond what we use for IPv4 : It uses a single generator. Its not scalable and allows DOS attacks. Now inetpeer is IPv6 aware, we can use it to provide a more secure and scalable frag ident generator (per destination, instead of system wide) This patch : 1) defines a new secure_ipv6_id() helper 2) extends inet_getid() to provide 32bit results 3) extends ipv6_select_ident() with a new dest parameter Reported-by:Fernando Gont <fernando@gont.com.ar> Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
Showing
- drivers/char/random.c 15 additions, 0 deletionsdrivers/char/random.c
- include/linux/random.h 1 addition, 0 deletionsinclude/linux/random.h
- include/net/inetpeer.h 10 additions, 3 deletionsinclude/net/inetpeer.h
- include/net/ipv6.h 1 addition, 11 deletionsinclude/net/ipv6.h
- net/ipv4/inetpeer.c 5 additions, 2 deletionsnet/ipv4/inetpeer.c
- net/ipv6/ip6_output.c 31 additions, 5 deletionsnet/ipv6/ip6_output.c
- net/ipv6/udp.c 1 addition, 1 deletionnet/ipv6/udp.c
Loading