From 3a343d42d7bd90753ea6ed48fe750a7a209b1ddf Mon Sep 17 00:00:00 2001
From: Klement Sekera <ksekera@cisco.com>
Date: Thu, 16 May 2019 14:35:46 +0200
Subject: reassembly: prevent long chain attack

limit max # of fragments to 3 per packet by default
add API option to configure the limit at runtime

Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8
Signed-off-by: Klement Sekera <ksekera@cisco.com>
---
 test/test_ipip.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'test/test_ipip.py')

diff --git a/test/test_ipip.py b/test/test_ipip.py
index 16f83694b20..e5b9092a431 100644
--- a/test/test_ipip.py
+++ b/test/test_ipip.py
@@ -160,6 +160,11 @@ class TestIPIP(VppTestCase):
             sw_if_index=self.pg1.sw_if_index,
             enable_ip4=1)
 
+        self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000,
+                                    max_reassembly_length=1000,
+                                    expire_walk_interval_ms=10000,
+                                    is_ip6=0)
+
         # Send lots of fragments, verify reassembled packet
         frags, p4_reply = self.generate_ip4_frags(3131, 1400)
         f = []
@@ -415,6 +420,11 @@ class TestIPIP6(VppTestCase):
             sw_if_index=self.pg1.sw_if_index,
             enable_ip6=1)
 
+        self.vapi.ip_reassembly_set(timeout_ms=1000, max_reassemblies=1000,
+                                    max_reassembly_length=1000,
+                                    expire_walk_interval_ms=10000,
+                                    is_ip6=1)
+
         # Send lots of fragments, verify reassembled packet
         before_cnt = self.statistics.get_counter(
             '/err/ipip6-input/packets decapsulated')
-- 
cgit 1.2.3-korg