Home page logo
/

oss-sec logo oss-sec mailing list archives

CVE request: kernel: ipv6: make fragment identifications less predictable
From: Eugene Teo <eugene () redhat com>
Date: Wed, 20 Jul 2011 15:12:15 +0800

IPv6 fragment identification generation is way beyond what we use for
IPv4 : It uses a single generator. Its not scalable and allows DoS attacks.

Now inetpeer is IPv6 aware, we can use it to provide a more secure and
scalable frag ident generator (per destination, instead of system wide)

This patch :
1) defines a new secure_ipv6_id() helper
2) extends inet_getid() to provide 32bit results
3) extends ipv6_select_ident() with a new dest parameter

http://thread.gmane.org/gmane.linux.network/201773/focus=201776
https://bugzilla.redhat.com/show_bug.cgi?id=723429

Thanks, Eugene


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]