ipv6: make fragment identifications less predictable IPv6 fragment identification generation is way beyond what we use for IPv4 : It uses a single generator. Its not scalable and allows DOS attacks. Now inetpeer is IPv6 aware, we can use it to provide a more secure and scalable frag ident generator (per destination, instead of system wide) This patch : 1) defines a new secure_ipv6_id() helper 2) extends inet_getid() to provide 32bit results 3) extends ipv6_select_ident() with a new dest parameter Reported-by: Fernando Gont <fernando@gont.com.ar> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 87c48fa3b4630905f98268dde838ee43626a060c [log] [tgz]
author: Eric Dumazet <eric.dumazet@gmail.com> Thu Jul 21 21:25:58 2011 -0700
committer: David S. Miller <davem@davemloft.net> Thu Jul 21 21:25:58 2011 -0700
tree: 1374b52ed0514682f836cfa0a6a683eb549c9613
parent: 21efcfa0ff27776902a8a15e810147be4d937d69 [diff] [blame]
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 328985c..29213b5 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c

@@ -1359,7 +1359,7 @@
 	fptr = (struct frag_hdr *)(skb_network_header(skb) + unfrag_ip6hlen);
 	fptr->nexthdr = nexthdr;
 	fptr->reserved = 0;
-	ipv6_select_ident(fptr);
+	ipv6_select_ident(fptr, (struct rt6_info *)skb_dst(skb));
 
 	/* Fragment the skb. ipv6 header and the remaining fields of the
 	 * fragment header are updated in ipv6_gso_segment()
commit	87c48fa3b4630905f98268dde838ee43626a060c	[log] [tgz]
author	Eric Dumazet <eric.dumazet@gmail.com>	Thu Jul 21 21:25:58 2011 -0700
committer	David S. Miller <davem@davemloft.net>	Thu Jul 21 21:25:58 2011 -0700
tree	1374b52ed0514682f836cfa0a6a683eb549c9613
parent	21efcfa0ff27776902a8a15e810147be4d937d69 [diff] [blame]