Re: [PATCH v3 net 0/7] insufficient TCP source port randomness
From: patchwork-bot+netdevbpf
Date: Wed May 04 2022 - 22:50:32 EST
Hello:
This series was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@xxxxxxxxxx>:
On Mon, 2 May 2022 10:46:07 +0200 you wrote:
> Hi,
>
> In a not-yet published paper, Moshe Kol, Amit Klein, and Yossi Gilad
> report being able to accurately identify a client by forcing it to emit
> only 40 times more connections than the number of entries in the
> table_perturb[] table, which is indexed by hashing the connection tuple.
> The current 2^8 setting allows them to perform that attack with only 10k
> connections, which is not hard to achieve in a few seconds.
>
> [...]
Here is the summary with links:
- [v3,net,1/7] secure_seq: use the 64 bits of the siphash for port offset calculation
https://git.kernel.org/netdev/net/c/b2d057560b81
- [v3,net,2/7] tcp: use different parts of the port_offset for index and offset
https://git.kernel.org/netdev/net/c/9e9b70ae923b
- [v3,net,3/7] tcp: resalt the secret every 10 seconds
https://git.kernel.org/netdev/net/c/4dfa9b438ee3
- [v3,net,4/7] tcp: add small random increments to the source port
https://git.kernel.org/netdev/net/c/ca7af0402550
- [v3,net,5/7] tcp: dynamically allocate the perturb table used by source ports
https://git.kernel.org/netdev/net/c/e9261476184b
- [v3,net,6/7] tcp: increase source port perturb table to 2^16
https://git.kernel.org/netdev/net/c/4c2c8f03a5ab
- [v3,net,7/7] tcp: drop the hash_32() part from the index calculation
https://git.kernel.org/netdev/net/c/e8161345ddbb
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html