From owner-freebsd-security Thu Jan 20 20:54:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 1317F14F77 for ; Thu, 20 Jan 2000 20:54:50 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id TAA55516; Thu, 20 Jan 2000 19:51:42 -0800 (PST) (envelope-from dillon) Date: Thu, 20 Jan 2000 19:51:42 -0800 (PST) From: Matthew Dillon Message-Id: <200001210351.TAA55516@apollo.backplane.com> To: Alfred Perlstein Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: stream.c worst-case kernel paths References: <4.2.2.20000120182425.01886ec0@localhost> <20000120195257.G14030@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :It's a pretty good analysis, besideds the improvements mentioned :here i _really_ think we should be able to delay the checksum as :far as possible, I've been playing with this for a bit and I'll :see how far it can be safely moved. : :Doing a checksum on an invalid packet is not worth it, might as :well take the packet at face value, allow it to drop out, and :only when it's about to be accepted _finally_ take the hit and do :the checksum. : :As far as limiting RST and ICMP I really believe it's time that :such things are _on_ by default. : :-Alfred ICMP_BANDLIM has been in the tree for some time now and I have never received a bad bug report from people using it. I might recommend increasing the default net.inet.icmp.icmplim from 100 to 200, but otherwise I think it could be turned on by default without causing any ill effects. I would personally prefer that we wait until after the 4.0 release before changing the default to on. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message