Message ID | 20220502084614.24123-1-w@1wt.eu (mailing list archive) |
---|---|
Headers | show |
Series | insufficient TCP source port randomness | expand |
Hello: This series was applied to netdev/net.git (master) by Jakub Kicinski <kuba@kernel.org>: On Mon, 2 May 2022 10:46:07 +0200 you wrote: > Hi, > > In a not-yet published paper, Moshe Kol, Amit Klein, and Yossi Gilad > report being able to accurately identify a client by forcing it to emit > only 40 times more connections than the number of entries in the > table_perturb[] table, which is indexed by hashing the connection tuple. > The current 2^8 setting allows them to perform that attack with only 10k > connections, which is not hard to achieve in a few seconds. > > [...] Here is the summary with links: - [v3,net,1/7] secure_seq: use the 64 bits of the siphash for port offset calculation https://git.kernel.org/netdev/net/c/b2d057560b81 - [v3,net,2/7] tcp: use different parts of the port_offset for index and offset https://git.kernel.org/netdev/net/c/9e9b70ae923b - [v3,net,3/7] tcp: resalt the secret every 10 seconds https://git.kernel.org/netdev/net/c/4dfa9b438ee3 - [v3,net,4/7] tcp: add small random increments to the source port https://git.kernel.org/netdev/net/c/ca7af0402550 - [v3,net,5/7] tcp: dynamically allocate the perturb table used by source ports https://git.kernel.org/netdev/net/c/e9261476184b - [v3,net,6/7] tcp: increase source port perturb table to 2^16 https://git.kernel.org/netdev/net/c/4c2c8f03a5ab - [v3,net,7/7] tcp: drop the hash_32() part from the index calculation https://git.kernel.org/netdev/net/c/e8161345ddbb You are awesome, thank you!