search for: 04ca6973f7c1a0d

...9;s certainly harder to get hold of entropy > guest-side. It is not only about entropy but about uniqueness. Also fragmentation ids should not be discoverable, so there are several aspects: I see fragmentation id generation still as security critical: When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP identifiers less predictable") I could patch my kernels and use the patch regardless of the machine being virtualized or not. It was not dependent on the hypervisor. I think that is the same reasoning why we don't support TOE. If we use one generator in the hypervisor i...

...9;s certainly harder to get hold of entropy > guest-side. It is not only about entropy but about uniqueness. Also fragmentation ids should not be discoverable, so there are several aspects: I see fragmentation id generation still as security critical: When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP identifiers less predictable") I could patch my kernels and use the patch regardless of the machine being virtualized or not. It was not dependent on the hypervisor. I think that is the same reasoning why we don't support TOE. If we use one generator in the hypervisor i...

...; ids should not be discoverable, > > I belive "predictable" is the language used by the IETF draft. > > > so there are several aspects: > > > > I see fragmentation id generation still as security critical: > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > > identifiers less predictable") I could patch my kernels and use the > > patch regardless of the machine being virtualized or not. It was not > > dependent on the hypervisor. > > And now it's even easier - just patch the hypervisor, and all VM...

...; ids should not be discoverable, > > I belive "predictable" is the language used by the IETF draft. > > > so there are several aspects: > > > > I see fragmentation id generation still as security critical: > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > > identifiers less predictable") I could patch my kernels and use the > > patch regardless of the machine being virtualized or not. It was not > > dependent on the hypervisor. > > And now it's even easier - just patch the hypervisor, and all VM...

...;> I belive "predictable" is the language used by the IETF draft. > >> > >>> so there are several aspects: > >>> > >>> I see fragmentation id generation still as security critical: > >>> When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > >>> identifiers less predictable") I could patch my kernels and use the > >>> patch regardless of the machine being virtualized or not. It was not > >>> dependent on the hypervisor. > >> > >> And now it's even easie...

...;> I belive "predictable" is the language used by the IETF draft. > >> > >>> so there are several aspects: > >>> > >>> I see fragmentation id generation still as security critical: > >>> When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > >>> identifiers less predictable") I could patch my kernels and use the > >>> patch regardless of the machine being virtualized or not. It was not > >>> dependent on the hypervisor. > >> > >> And now it's even easie...

...ive "predictable" is the language used by the IETF draft. > > > > > > > so there are several aspects: > > > > > > > > I see fragmentation id generation still as security critical: > > > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > > > > identifiers less predictable") I could patch my kernels and use the > > > > patch regardless of the machine being virtualized or not. It was not > > > > dependent on the hypervisor. > > > > > > And now it's e...

...ive "predictable" is the language used by the IETF draft. > > > > > > > so there are several aspects: > > > > > > > > I see fragmentation id generation still as security critical: > > > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > > > > identifiers less predictable") I could patch my kernels and use the > > > > patch regardless of the machine being virtualized or not. It was not > > > > dependent on the hypervisor. > > > > > > And now it's e...

...uniqueness. Also fragmentation > ids should not be discoverable, I belive "predictable" is the language used by the IETF draft. > so there are several aspects: > > I see fragmentation id generation still as security critical: > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > identifiers less predictable") I could patch my kernels and use the > patch regardless of the machine being virtualized or not. It was not > dependent on the hypervisor. And now it's even easier - just patch the hypervisor, and all VMs automatically benefit....

...uniqueness. Also fragmentation > ids should not be discoverable, I belive "predictable" is the language used by the IETF draft. > so there are several aspects: > > I see fragmentation id generation still as security critical: > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > identifiers less predictable") I could patch my kernels and use the > patch regardless of the machine being virtualized or not. It was not > dependent on the hypervisor. And now it's even easier - just patch the hypervisor, and all VMs automatically benefit....

...iscoverable, >> >> I belive "predictable" is the language used by the IETF draft. >> >>> so there are several aspects: >>> >>> I see fragmentation id generation still as security critical: >>> When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP >>> identifiers less predictable") I could patch my kernels and use the >>> patch regardless of the machine being virtualized or not. It was not >>> dependent on the hypervisor. >> >> And now it's even easier - just patch the hyperv...

...iscoverable, >> >> I belive "predictable" is the language used by the IETF draft. >> >>> so there are several aspects: >>> >>> I see fragmentation id generation still as security critical: >>> When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP >>> identifiers less predictable") I could patch my kernels and use the >>> patch regardless of the machine being virtualized or not. It was not >>> dependent on the hypervisor. >> >> And now it's even easier - just patch the hyperv...

...gt; > > > I belive "predictable" is the language used by the IETF draft. > > > > > so there are several aspects: > > > > > > I see fragmentation id generation still as security critical: > > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > > > identifiers less predictable") I could patch my kernels and use the > > > patch regardless of the machine being virtualized or not. It was not > > > dependent on the hypervisor. > > > > And now it's even easier - just patch t...

...gt; > > > I belive "predictable" is the language used by the IETF draft. > > > > > so there are several aspects: > > > > > > I see fragmentation id generation still as security critical: > > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > > > identifiers less predictable") I could patch my kernels and use the > > > patch regardless of the machine being virtualized or not. It was not > > > dependent on the hypervisor. > > > > And now it's even easier - just patch t...

...gt; > > > I belive "predictable" is the language used by the IETF draft. > > > > > so there are several aspects: > > > > > > I see fragmentation id generation still as security critical: > > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > > > identifiers less predictable") I could patch my kernels and use the > > > patch regardless of the machine being virtualized or not. It was not > > > dependent on the hypervisor. > > > > And now it's even easier - just patch t...

...gt; > > > I belive "predictable" is the language used by the IETF draft. > > > > > so there are several aspects: > > > > > > I see fragmentation id generation still as security critical: > > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > > > identifiers less predictable") I could patch my kernels and use the > > > patch regardless of the machine being virtualized or not. It was not > > > dependent on the hypervisor. > > > > And now it's even easier - just patch t...

..."predictable" is the language used by the IETF draft. >>>> >>>>> so there are several aspects: >>>>> >>>>> I see fragmentation id generation still as security critical: >>>>> When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP >>>>> identifiers less predictable") I could patch my kernels and use the >>>>> patch regardless of the machine being virtualized or not. It was not >>>>> dependent on the hypervisor. >>>> >>>> And now it...

..."predictable" is the language used by the IETF draft. >>>> >>>>> so there are several aspects: >>>>> >>>>> I see fragmentation id generation still as security critical: >>>>> When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP >>>>> identifiers less predictable") I could patch my kernels and use the >>>>> patch regardless of the machine being virtualized or not. It was not >>>>> dependent on the hypervisor. >>>> >>>> And now it...

...t; is the language used by the IETF draft. > > > > > > > > > so there are several aspects: > > > > > > > > > > I see fragmentation id generation still as security critical: > > > > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > > > > > identifiers less predictable") I could patch my kernels and use the > > > > > patch regardless of the machine being virtualized or not. It was not > > > > > dependent on the hypervisor. > > > > > > &gt...

...t; is the language used by the IETF draft. > > > > > > > > > so there are several aspects: > > > > > > > > > > I see fragmentation id generation still as security critical: > > > > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP > > > > > identifiers less predictable") I could patch my kernels and use the > > > > > patch regardless of the machine being virtualized or not. It was not > > > > > dependent on the hypervisor. > > > > > > &gt...