CVSROOT: /cvs
Module name: src
Changes by: ren...@cvs.openbsd.org 2016/05/23 10:16:44
Modified files:
usr.sbin/ldpd : ldpe.h neighbor.c notification.c packet.c
Log message:
Rework the way we handle income connection requests.
The logic of the previous code was to accept all TCP connection requests
(destined to port 646) and create a tcp_conn structure for each them. Once
the first packet of a connection was received, we would analyze the
LDP Initialization message and identify its origin by looking at the
LSR-ID field.
When parsing a received TCP packet, we would need to distinguish between
two cases: tcp packet from an LDP neighbor and tcp packet from a newborn
connection (not associated with any neighbor yet). For this reason,
the session_read() function was quite complicated.
Also, we were not keeping track of the allocated tcp_conn structures. So,
we were subject to memory leaks and even DOS attacks.
With this patch, we also accept all TCP connection requests, but with two
major differences:
* We identify the neighbor by the source address of the SYN
packet. This is possible because we don't support label spaces, so
the transport-address by itself is enough to identify a neighbor,
we don't need to wait for the Initialization message;
* If there's no matching adjacency for this neighbor, then we start a
timer of 5 seconds. If we receive a Hello packet from this neighbor
within this interval, then we stop this timer and move on in
the Initialization state machine. Otherwise, we send a No Hello
Notification message and close the socket. We try to avoid sending
the No Hello notification as much as possible because it triggers the
backoff exponential in the remote peer, which considerably slow down
the session establishment process.
In summary, this new approach allows for a simpler code and fixes the
memory leak problem mentioned before.
