Hi,
with a lot of help from David Malone and JINMEI Tatuya we came up with the
following hash function for IPv6 connections using universal hashing.
Note that while it looks a lot more complicated, it is unlikely to
consume (much) more time. The most expensive operation is still the
memory access - which has to happen either way. Since this is a firewall
and as such a security feature, we should rather do it right. Note that
in IPv6 an attacker can easily choose 96 Byte of input, so it's trivial
to construct collisions with the current hash function. A degenerated
hash is certainly more expensive than this changes.
Objections, Comments, anything else?
BTW, don't suggest that we use memcmp in addr6_cmp. As it turns out, the
kernel version of memcmp() does not provide POSIX compliant return
values.
--
/"\ Best regards, | mlaier@xxxxxxxxxxx
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
v6hash.diff
Description: Text Data
pgpM6rWD2Mqk0.pgp
Description: PGP signature
|
