Let's split the discussion:
1. Do we need to fix predictable IP IDs by creating some storage of
information about peers?
2. How should we fix the referenced problem with TCP spoofing (if we decide
not to create any storage)?
3. Should the storage be organized as AVL tree if we accept the creation of
the storage?
About 1:
I think we should fix predictable IP IDs. I don't think that TCP spoofing
attack is the only attack which may take advantages of predictable IP IDs.
Information about traffic is too sensitive from my personal point of view.
About 2:
I don't think that we should solve the problem on the TCP level.
TCP has a well-defined behaviour which we've implemented in the kernel.
I don't consider the current reply policy as a TCP issue. It conforms the
whole TCP security ideology: people seeing packets in the flight may do what
they want, people who doesn't see shouldn't be able to get unauthorized
access.
About 3:
AVL trees don't consume much more memory than other structures.
But we may discuss the issue after #1.
Andrey
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/