From nobody Sat Jun 21 13:27:22 2025 X-Original-To: net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bPZrr0g7kz5yXT1 for ; Sat, 21 Jun 2025 13:27:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bPZrq6w0sz40Hh for ; Sat, 21 Jun 2025 13:27:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750512444; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=T55DUPHI8HwhAP2hmNKoN/aCNml9dRxjrpcuiIHrMI4=; b=IEbqG0yYuL0uCPbHu9dwQ/s4Ebkp+TaoVz+MKyXp5XGTKUvNkWnwNovHa4wqb+TdYyqNIj wB1IzfqFCPAPPGbG23EyGMj5S0xFDAyiXRUtdFLNfmDsQoHbIpoTnpu1skdBE8Q1ptYYyI VKhnGFZxs+dSM9n3zqeUAdXBbzli/ajLAaXMqg7qStQ5Yi+aLghXHzpT4BsbjNXcUAy9HZ yxkF3pWUyHDb+lMNCdhSw7wQjLWrcY6RvNNfp+U1S5JodyjWcxcYQ+RiAh2I+/u90H0XjA khGga6/s4EpQ0JFVosc8itx4ZkyspsTLbPgnRF1xc4uPvLdKhZLfuFM5yBHT/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1750512444; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=T55DUPHI8HwhAP2hmNKoN/aCNml9dRxjrpcuiIHrMI4=; b=H9vFL9sNb5yUrlB+kLtcJl0XL16Ux3nH1Y2GpJy/Tp+O7v7qRzs8Iw5OzUcCb5iaOdDRht sP8X/N4gtR12A8AXzBPh6wQtANt9CubzjLnfyDgmrXiZKMfObeynyNYFHFnxuP/rndxYLt 5hVx4rpqJeZhJ3Evo2B59DwoPETkTSnM3ysheJlssGddRkJOsbfwUY3NSLj+ER7oq+BpxT Y//d5vM5LEJG8NPVxDSwHqEZVjtI7e6l0Q8Q54+QHz1yjG+YzrHtfzmY3oCYJ/EgA1SJu+ EZ0Wdb2nbcX5OlUAtBTnpE/jro79NKHMsAq22ZoTZyjdOIaSdTWzGWoFavD+5w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750512444; a=rsa-sha256; cv=none; b=rW+7GSJIIz+pkcZa+3gxbanA8CHTsdUDlYWOrDrnkRwoL8lLLa+ETikzMslwmK5egDKr7k YZPgvcrzUEAXnXsan0Mc7oYkYrcTKf2KmdtkzqG7364nOxOcOOoLfmitI2YzvF9mc1BRWT s8p/5dKJuyMYJqtfqTONDdBFsByVgNV7EYtqhxolgizy8DCalZA7yuYVauwnM3zn2sWXj6 MEhbit5aSvikpwr4awc/qAdh7BmlurHt8fxynByXjl6sRYpymnp9CJuJmTv4EEVtucJxuq nCnxBV4Rw0l6JtKwAuoHDPZPgrhG84dLEp+dtOv3hy1hn/5vkGnfOMMFScA3uQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bPZrq6PGLzYnB for ; Sat, 21 Jun 2025 13:27:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 55LDRNAx011393 for ; Sat, 21 Jun 2025 13:27:23 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 55LDRNt3011392 for net@FreeBSD.org; Sat, 21 Jun 2025 13:27:23 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 287229] IP reassembly issue in FreeBSD 14.1 Date: Sat, 21 Jun 2025 13:27:22 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: tuexen@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: tuexen@freebsd.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D287229 --- Comment #33 from Michael Tuexen --- (In reply to Lucas Aubard from comment #32) FreeBSD reassembly is consistent in the following sense: The same sequence of fragments results in the same sequence as long as not limit is hit. But if the same set of sequence is received, the results might depend on the sequence in which the fragments arrive. Regarding the limits: * we need a limit if the bucket queues to mitigate CPU attacks * We need an overall limit to mitigate memory attacks. This can only be avo= ided if the memory limit is equal to or larger than the product of the number = of bucket queues and the bucket queue limit. No matter how we choose the limits, an attacker can send packets such that = the enforcing the limits results in dropping fragments. Isn't this good enough for NIDS? --=20 You are receiving this mail because: You are on the CC list for the bug.=