Re: bind() udp behavior 2.6.8.1

From: Kyle Moffett
Date: Tue Dec 14 2004 - 22:21:28 EST

Next message: Randy.Dunlap: "Re: How to get the whole information dumped from kernel"
Previous message: Park Lee: "Re: How to get the whole information dumped from kernel"
In reply to: Adam Denenberg: "Re: bind() udp behavior 2.6.8.1"
Next in thread: Adam Denenberg: "Re: bind() udp behavior 2.6.8.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Dec 14, 2004, at 21:23, Adam Denenberg wrote:

i think you guys are all right. However there is one concern. Not clearing out a UDP connection in a firewall coming from a high port is indeed a security risk. Allowing a high numbered udp port to remain open for a prolonged period of time would definitely impose a security risk which is why the PIX is doing what it does. The linux server is "reusing" the same UDP high numbered socket however it is doing so exactly as the firewall is clearing its state table (60 ms) from the first connection which is what is causing the issue.

I think a firewall ought to be aware of such behavior, but at the same time be secure enough to not just leave high numbered udp ports wide open for attack. I am trying to find out why the PIX chose 60 ms to clear out the UDP state table. I think that is a random number and probably too short of a span for this to occur however i am still researching it.

Any other insight would be greatly appreciated.

60ms is certainly _way_ too small for most UDP traffic. With something like
that, OpenAFS would die almost immediately. I think the current OpenAFS
minimum is like 20 minutes, although somebody patched the OpenAFS
source to send a keepalive every 5 minutes, so it could be reduced. OTOH,
sending a keepalive every 60ms would take a _massive_ amount of
bandwidth even for one client, think about a couple hundred :-D. Heck, I've
even seen pings on a regular basis that take longer than 60ms, which
means that even an infinitely fast kerberos server wouldn't respond quickly
enough :-D.

Cheers,
Kyle Moffett

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a18 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$
L++++(+++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+
PGP+++ t+(+++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$ r !y?(-)
------END GEEK CODE BLOCK------

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Randy.Dunlap: "Re: How to get the whole information dumped from kernel"
Previous message: Park Lee: "Re: How to get the whole information dumped from kernel"
In reply to: Adam Denenberg: "Re: bind() udp behavior 2.6.8.1"
Next in thread: Adam Denenberg: "Re: bind() udp behavior 2.6.8.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]