diff options
author | Eric Dumazet <edumazet@google.com> | 2022-08-30 20:56:56 +0200 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2022-09-01 04:56:48 +0200 |
commit | 79e3602caa6f9d59c4f66a268407080496dae408 (patch) | |
tree | 639b61f605e41a495d774f43c4e3062296bd3836 /Documentation | |
parent | tcp: annotate data-race around challenge_timestamp (diff) | |
download | linux-79e3602caa6f9d59c4f66a268407080496dae408.tar.xz linux-79e3602caa6f9d59c4f66a268407080496dae408.zip |
tcp: make global challenge ack rate limitation per net-ns and default disabled
Because per host rate limiting has been proven problematic (side channel
attacks can be based on it), per host rate limiting of challenge acks ideally
should be per netns and turned off by default.
This is a long due followup of following commits:
083ae308280d ("tcp: enable per-socket rate limiting of all 'challenge acks'")
f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock")
75ff39ccc1bd ("tcp: make challenge acks less predictable")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jason Baron <jbaron@akamai.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/networking/ip-sysctl.rst | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst index 56cd4ea059b2..a759872a2883 100644 --- a/Documentation/networking/ip-sysctl.rst +++ b/Documentation/networking/ip-sysctl.rst @@ -1035,7 +1035,10 @@ tcp_limit_output_bytes - INTEGER tcp_challenge_ack_limit - INTEGER Limits number of Challenge ACK sent per second, as recommended in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks) - Default: 1000 + Note that this per netns rate limit can allow some side channel + attacks and probably should not be enabled. + TCP stack implements per TCP socket limits anyway. + Default: INT_MAX (unlimited) UDP variables ============= |