From: Eric Dumazet <eduma...@google.com> Date: Wed, 22 Aug 2018 13:30:45 -0700
> tcp uses per-cpu (and per namespace) sockets (net->ipv4.tcp_sk) internally > to send some control packets. > > 1) RST packets, through tcp_v4_send_reset() > 2) ACK packets in SYN-RECV and TIME-WAIT state, through tcp_v4_send_ack() > > These packets assert IP_DF, and also use the hashed IP ident generator > to provide an IPv4 ID number. > > Geoff Alexander reported this could be used to build off-path attacks. > > These packets should not be fragmented, since their size is smaller than > IPV4_MIN_MTU. Only some tunneled paths could eventually have to fragment, > regardless of inner IPID. > > We really can use zero IPID, to address the flaw, and as a bonus, > avoid a couple of atomic operations in ip_idents_reserve() > > Signed-off-by: Eric Dumazet <eduma...@google.com> > Reported-by: Geoff Alexander <alexa...@cs.unm.edu> > Tested-by: Geoff Alexander <alexa...@cs.unm.edu> Applied and queued up for -stable.
