On Thu, Mar 20, 2014 at 9:31 AM, Karl Heiss <kheiss@xxxxxxxxx> wrote: > I have a question about the HB.Max.Burst parameter for the LKSCTP > stack. I notice that there is no explicit parameter for this value > and the alternative from RFC 5062 (only one HB per RTT) does not > appear to be implemented either (see excerpt below). The only > limiting factor appears to be max.burst. Am I missing something > obvious or should there be some other form of limiting heartbeats to > mitigate some of the issues outlined in RFC 5062? Correction, the limit is Association.Max.Retrans, not Max.Burst. > > 6.3. Mitigation Option > > To limit the effectiveness of this attack, the new parameter > HB.Max.Burst was introduced in [RFC4960] and an endpoint should: > > 1) not allow very large cookie lifetimes, even if they are requested. > > 2) not use larger HB.Max.Burst parameter values than recommended. > Note that an endpoint may decide to send only one Heartbeat per > RTT instead of the maximum (i.e., HB.Max.Burst). An endpoint that > chooses this approach will however slow down detection of > endpoints camping on valid addresses. > > 3) not use large HEARTBEATs for path confirmation. > > > Karl -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
