....
 

Guardian Digital Inc. > InfoCenter > Mailing List Archives > Linux Kernel

Linux Kernel Mailing List Archive

From: Kyle Moffett (mrmacman_g4@mac.com)
Date: Tue Dec 14 2004 - 22:19:28 EST


On Dec 14, 2004, at 21:23, Adam Denenberg wrote:
> i think you guys are all right. However there is one concern. Not
> clearing out a UDP connection in a firewall coming from a high port is
> indeed a security risk. Allowing a high numbered udp port to remain
> open for a prolonged period of time would definitely impose a security
> risk which is why the PIX is doing what it does. The linux server is
> "reusing" the same UDP high numbered socket however it is doing so
> exactly as the firewall is clearing its state table (60 ms) from the
> first connection which is what is causing the issue.
>
> I think a firewall ought to be aware of such behavior, but at the same
> time be secure enough to not just leave high numbered udp ports wide
> open for attack. I am trying to find out why the PIX chose 60 ms to
> clear out the UDP state table. I think that is a random number and
> probably too short of a span for this to occur however i am still
> researching it.
>
> Any other insight would be greatly appreciated.

60ms is certainly _way_ too small for most UDP traffic. With something
like
that, OpenAFS would die almost immediately. I think the current OpenAFS
minimum is like 20 minutes, although somebody patched the OpenAFS
source to send a keepalive every 5 minutes, so it could be reduced.
OTOH,
sending a keepalive every 60ms would take a _massive_ amount of
bandwidth even for one client, think about a couple hundred :-D. Heck,
I've
even seen pings on a regular basis that take longer than 60ms, which
means that even an infinitely fast kerberos server wouldn't respond
quickly
enough :-D.

Cheers,
Kyle Moffett

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a18 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$
L++++(+++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+
PGP+++ t+(+++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$ r
!y?(-)
------END GEEK CODE BLOCK------

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



[ About Guardian Digital ] - [ Press Center ] - [ Contact Us ] - [ System Activation ] - [ Reseller Info ] - [ Online Store ] - [ Site Map ]
Copyright (c) 2000 - 2004 Guardian Digital, Inc. Linux Lockbox and EnGarde are Trademarks of Guardian Digital, Inc.