reassembly: prevent long chain attack

limit max # of fragments to 3 per packet by default
add API option to configure the limit at runtime

Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8
Signed-off-by: Klement Sekera <ksekera@cisco.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/test/test_ipip.py b/test/test_ipip.py
index 16f83694b20..e5b9092a431 100644
--- a/test/test_ipip.py
+++ b/test/test_ipip.py
@@ -160,6 +160,11 @@ class TestIPIP(VppTestCase):
             sw_if_index=self.pg1.sw_if_index,
             enable_ip4=1)
 
+        self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000,
+                                    max_reassembly_length=1000,
+                                    expire_walk_interval_ms=10000,
+                                    is_ip6=0)
+
         # Send lots of fragments, verify reassembled packet
         frags, p4_reply = self.generate_ip4_frags(3131, 1400)
         f = []
@@ -415,6 +420,11 @@ class TestIPIP6(VppTestCase):
             sw_if_index=self.pg1.sw_if_index,
             enable_ip6=1)
 
+        self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000,
+                                    max_reassembly_length=1000,
+                                    expire_walk_interval_ms=10000,
+                                    is_ip6=1)
+
         # Send lots of fragments, verify reassembled packet
         before_cnt = self.statistics.get_counter(
             '/err/ipip6-input/packets decapsulated')