On 02/07/2013 10:44 AM, Kees Cook wrote: >> >> This patch probably also breaks TCP STUNT that is used by some applications for NAT >> traversal. > > The patch would not break it -- it defaults the sysctl to staying enabled. > > If you mean the documentation should be updated, sure, that's easy to do. > > David: I know you aren't a fan of this patch, but I'd like to try to > convince you. :) This leaves the feature enabled and add a toggle for > systems (like Chrome OS) that don't want to risk this DoS at all. > There are so very many other toggle, I don't see why this one would be > a problem to add. > It is not just STUNT, but in NAT-less configurations behind stateful firewalls (which is expected to be the norm for IPv6), TCP rendezvous via crossed SYN is a very effective way to establish peer-to-peer connections. -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
