diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2011-07-21 21:25:58 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-07-21 21:25:58 -0700 |
commit | 87c48fa3b4630905f98268dde838ee43626a060c (patch) | |
tree | 1374b52ed0514682f836cfa0a6a683eb549c9613 /include/linux/random.h | |
parent | 21efcfa0ff27776902a8a15e810147be4d937d69 (diff) | |
download | lwn-87c48fa3b4630905f98268dde838ee43626a060c.tar.gz lwn-87c48fa3b4630905f98268dde838ee43626a060c.zip |
ipv6: make fragment identifications less predictable
IPv6 fragment identification generation is way beyond what we use for
IPv4 : It uses a single generator. Its not scalable and allows DOS
attacks.
Now inetpeer is IPv6 aware, we can use it to provide a more secure and
scalable frag ident generator (per destination, instead of system wide)
This patch :
1) defines a new secure_ipv6_id() helper
2) extends inet_getid() to provide 32bit results
3) extends ipv6_select_ident() with a new dest parameter
Reported-by: Fernando Gont <fernando@gont.com.ar>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/random.h')
-rw-r--r-- | include/linux/random.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/random.h b/include/linux/random.h index fb7ab9de5f36..ce29a040c8dc 100644 --- a/include/linux/random.h +++ b/include/linux/random.h @@ -58,6 +58,7 @@ extern void get_random_bytes(void *buf, int nbytes); void generate_random_uuid(unsigned char uuid_out[16]); extern __u32 secure_ip_id(__be32 daddr); +extern __u32 secure_ipv6_id(const __be32 daddr[4]); extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport); extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr, __be16 dport); |