in_pcb: use jenkins hash over the entire IPv6 (or IPv4) address
ClosedPublic
Actions

Authored by glebius on Dec 3 2021, 8:54 PM.

Details

Reviewers

dwmalone
rscheff

Group Reviewers

network
transport

Commits

rGa057769205c3: in_pcb: use jenkins hash over the entire IPv6 (or IPv4) address

Summary

The intent is to provide more entropy than can be provided
by just the 32-bits of the IPv6 address which overlaps with
6to4 tunnels. This is needed to mitigate potential algorithmic
complexity attacks from attackers who can control large
numbers of IPv6 addresses.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

glebius created this revision.Dec 3 2021, 8:54 PM

Herald added subscribers: melifaro, bz, ae, imp. · View Herald TranscriptDec 3 2021, 8:54 PM

glebius requested review of this revision.Dec 3 2021, 8:54 PM

Harbormaster completed remote builds in B43130: Diff 99423.Dec 3 2021, 8:55 PM

This has been running at Netflix for a while. Written by @gallatin and myself after a test case instrumented by @jtl .

bz added a reviewer: dwmalone.Dec 4 2021, 10:18 AM

David dropped me an email saying he'll look at this but earliest the weekend. Would be good to hold it off to give him some time.

This looks good to me - including a random hashseed seems like a great idea. I guess someday it might be neat to hash the fport and lport values, rather than xor them, but that should wait for another day if this has already been running in Netfilx.

This revision is now accepted and ready to land.Dec 12 2021, 8:03 PM