Home > OpenBSD > OpenBSD’s Network StackOpenBSD’s Network Stack Submitted by anonymous 2005-10-13 OpenBSD 38 CommentsSecurityFocus interviews three OpenBSD developers about their network stack protection against DoS ICMP attacks, a short comparison with Linux’ stack, and some thoughts on OpenBGPD.About The Author Thom HolwerdaFollow me on Twitter @thomholwerda 38 Comments 2005-10-13 4:39 pm “People might tell you that Linux has the capability to do X, Y, or Z that OpenBSD enables by default, but they don’t tell you that you have to dig around for the patches, enable the right compile flags, load the right modules and sacrifice a goat on the full moon. And even then it’s incomplete and buggy.”This guy is a first class troll. 2005-10-13 4:47 pm No, he calls it like he see’s it. I’ve found the same thing, but don’t ever say anything; you’ll get labeled as a “Troll”. 2005-10-13 5:04 pm Or rather you probably know the author and are just defending him. Site concrete examples on both platforms and I will believe it. 2005-10-13 11:35 pm Or rather you probably know the author and are just defending him. Site concrete examples on both platforms and I will believe it.You Linux guys need to take a chill pill.You guys can’t learn NOTHEN from any other OS on the Planet. Must be nice in dream land. 2005-10-13 5:49 pm A troll? I don’t know, he seems to me like the guy that can read the source and know what he’s talking about. Not only that, but he written network code for a large project that enforces security. Maybe he’s being a bit exaggerated, but that’s just how he sees it. 2005-10-13 5:36 pm Haicubefirst class troll? If I’m not mistaken, he’s the guy who you actually owe credit to for improving the safety and stability of the entire Internet.Now, what have you done you said? 2005-10-13 5:57 pm He could be the one who invented sliced bread, still pretty much a troll. 2005-10-14 2:57 am First you’ll note that he stated Linux is not vulnerable to any of the attacks bar the “performance reduction” attack.Second, he is a troll because that statement is just pulling shit out of the air. If he gave a concrete example then it might be worth something.For example, he might have said something along the lines of the following examples, which would be real, valid criticisms and not trolling:Hey, OpenBSD can barely support the PPC G5, and only if you sacrifice a simpleton at the next full moon, and upgrade to the latest version, and even then only in 32-bit mode without much hardware support.OpenBSD barely supports SMP, and even the move from 1 -> 2 processors often runs into serialisation problems in the kernel when doing any real work. And only then on a select few chips.OpenBSD doesn’t support NUMA aware memory allocations or optimisations at all.OpenBSD doesn’t support a comprehensive security framework like SELinux provides.OpenBSD doesn’t support systems that provide hardware LPARs, which are needed to *really* be able to securely partition systems and confine services without leaving it to the chance of a software bug.The OpenBSD kernel doesn’t have nearly so many resources or diverse teams performing security audits as does the Linux kernel.OpenBSD does not have nearly the amount of automated source code analysis coverage that the Linux kernel has.Hope this is helpful for next time. 2005-10-14 3:01 am >Hey, OpenBSD can barely support the PPC G5, and only if>you sacrifice a simpleton at the next full moon, andOoops, sorry this is kind of a troll. This paragraph was initially meant to be my example of how to be a troll and criticise without substance… however then I realised that OpenBSD’s PPC support really *is* ‘barely’. 2005-10-14 7:51 am >Hey, OpenBSD can barely support the PPC G5,>and only if you sacrifice a simpleton at the>next full moon, and upgrade to the latest version,Correct, G5 suppport just started>and even then only in 32-bit mode without much>hardware support.False, they do clean 64bit since a few days >OpenBSD barely supports SMP, and even the move>from 1 -> 2 processors often runs into>serialisation problems in the kernel when doingCorrect>any real work. And only then on a select few chips.False, they, justifiable, only support SMP on motherboards with *true* MPS.>OpenBSD doesn’t support NUMA aware memory>allocations or optimisations at all.Correct.>OpenBSD doesn’t support a comprehensive security>framework like SELinux provides.True, but only an admin who knows their entire internals of both userland and kernel can write policies (and yes, RedHat nicely gives you policies for nearly everything, so you can braindeadly turn them on).>OpenBSD doesn’t support systems that provide>hardware LPARs, which are needed to *really* be>able to securely partition systems and confine>services without leaving it to the chance of a> software bug.True, but LPAR’s are only possible on very select, insanely priced, IBM hardware.>The OpenBSD kernel doesn’t have nearly so many>resources or diverse teams performing security>audits as does the Linux kernel.Yes and no, but time after time, all those ‘many-eyes-who-catch-bugs’ turn out to comletely blind and clueless about it. Proof? Look at the amount of bugs found in the latest OBSD kernel vs. Linux kernel in the course of the last 6 months.>OpenBSD does not have nearly the amount of>automated source code analysis coverage that>the Linux kernel has.False; the only advantage the Linux crowd has is Valgrind; if they did any serious code analysis, they should throw away half of their libraries and kernel coroutines.Have a splendid day… 2005-10-14 4:06 pm >>and even then only in 32-bit mode without much>>hardware support.>False, they do clean 64bit since a few days No they don’t. I’ll assume the rest of your post is similar uninformed, idiotic drivel and not bother reading it. 2005-10-14 4:44 pm They have been doing 64 bit for a long time… sparc64 AMD/Intel are NOT the only 64 platform in the word. The fact is… they are the last. 2005-10-14 7:24 pm That poster was actually referring to PPC64, which was in the middle of the road to go 64-bit. (Note: PowerPC is not EXACTLY the same as POWER). x86-64 was actually not even mentioned so far.I mean, we have other 64-bit architectures too: MIPS64, SPARC64, DEC Alpha, HP’s PA-RISC, Itanium (still a dumb name for a decent chip). NetBSD has probably booted on all of them as well. OpenBSD is 64-bit clean on AMD64, MIPS64, and SPARC64 according to their own web site.Cheers to all.–JM 2005-10-14 8:24 am For example, he might have said something along the lines of the following examples, which would be real, valid criticisms and not trolling: – SELinux. This patented technology allows Red Hat to sell soft to government agencies, great. But it’s integrated to Linux kernel thanks to Red Hat lobbying, and that’s a good way to kill free distros that can’t afford a patent usage licence. See http://lwn.net/Articles/2376/ for instance.Secure Computing allows you to use SELinux without licence exploitation fees for anything but firewalls and VPN gateways. Wow, what a nice security feature !Last but not least, the security improvments of using SELinux are still to be proved (pondered with the complexity of seting it up and the potential errors, the huge amount of kernel privilegied running code it needs, the slowdown, etc.).On the other hand OpenBSD provides systrace, a clean, simple, rigorous and efficient alternative, that really targets security (not Mandatory Access Control and the like).– OpenBSD benefits a far deeper kernel (and not only kernel, by the way) security audit coverage than Linux.Because they designed it to be auditable at first, avoiding complexity like plague, trying to maintain a well mutualised code, eg. among archs, drivers etc. (1/4 of Linux kernel source code size, that’s an example of being auditable), enforcing strict coding style… This is a difference in goal and policy with Linux: for instance Linux can accept to add a lot of code and complexity for a small performance improvment, OpenBSD won’t. Taking every decision with security as a primary goal has an impact, whatever you think.Because they try to do smalls and incrementals changes only (who can really audit such a movable target like the Linux kernel, where larges core parts like the VM or the scheduler are rewritten all the time, a new fs support is added every three months etc.).Because they never leave a not mastered / not well understood or “understood by only one guy” subtree on the code base (linux does this for many things: devfsd, reiserfs, NDA’ed divers, binary loaders for some drivers etc.).Because they have a permanent team that understand the whole kernel (how many can say that on the Linux tree) auditing it for security only.Because every kind of bug discovered (even in userland) result in seeking for this kind of bug on the whole tree.Because every commit on the kernel is carefully evaluated with security prevalent in mind by a very large number of devs before being allowed to reach cvs repository.Because when a FreeBSD, NetBSD or DragonflyBSD audit result in a security improvment, this work is immediatly borrowed from OpenBSD team when applicable (that’s 4 independant teams sharing experience and audit).Because their goals attracts more and more security specialists (like, on this story, Fernado Gont).Because there is a very long experience of code auditing in OpenBSD dev team: there, you audit code far more than you write new code, and this is a competence you get by training only (you won’t become a security audit expert only by code writing experience).– OpenBSD has a huge amount of automated code analysis coverage: an OpenBSD developer works for Coverty (then we’ve regular coverty checks), and the propolice/spp enabled gcc and other memory protection schemes also provide an automated way to make small bugs result in kernel panic, then to get them noticed. Also the OpenBSD team take care of lint output.– PPC G5 is supported on cvs (will be shipped in 3.9, in May).– SMP works fine thanks. Your note is pure FUD.Your post was total FUD. 2005-10-14 9:44 am TheRavenBecause they have a permanent team that understand the whole kernel (how many can say that on the Linux tree) auditing it for security only.This is not quite true. The auditing team look for bugs, not security holes. The OpenBSD attitude is that the only difference between a bug and a vulnerability is that no one has found out how to exploit the former…yet.With regard to SMP, OpenBSD still lacks a lot of fine-grained locking in the kernel (because this kind of thing is notoriously difficult to get completely bug – and hence potential vulnerability – free). This means that performance doesn’t scale anything like linearly on SMP machines for tasks that spend a lot of time in the kernel (i.e. making system calls) – although this should improve over time. 2005-10-13 5:53 pm The problem with all you whining linux kiddies is, that you’ve never worked with a streamlined full-fledged operating system. Go ahead and call me a troll, then get back to your daily dose of patching, rpm or apt-get updating and figuring out why the hell things on your box are broken again… 2005-10-13 7:57 pm You are the troll.Is there any particular Linux distro that focuses on being secure out-of-the-box like OpenBSD?SELinux prehaps? How does [insert-favourite-distro-name-here] compare to an OpenBSD install security-wise? 2005-10-13 8:17 pm RahulFedora Core 3,4 and Red Hat Enterprise Linux 4 has SELinux targeted policy enabled by default. These are only operating systems in the world to include MAC based security enabled by default. It includes Exec shield and GCC security improvements. For Fedora Core 5, there are several other enhancements like stack smash protection in the compiler, Multi category security, per user /tmp and so onhttp://fedoraproject.org/wiki/FC5Future 2005-10-13 8:36 pm “These are only operating systems in the world to include MAC based security enabled by default.”Wrong, TrustedBSD has the entire flask/TPE (‘selinux’) thing enabled by default, on top of *many* other nice goodies (OpenBSM for auditing, BIBA, MLS, … things linux can’t even dream of)… but all of this is way outside of the scope of this thread. 2005-10-13 5:14 pm Or someone provide some data either way, anything. Are there patches applied to the Linux kernel for IP security as implied? 2005-10-13 5:41 pm bsd is not for me 2005-10-13 6:42 pm BSD-derived systems never abort established connections in response to ICMP messages. This has been the traditional BSD behavior for quite a long time.That’s what i mean.At home i listen a lot to internet streams.My MS room mate allways complains his connection has been shot.I connect the stream in the morning on FreeBSD and it’s still connected in the evening.That’s a other form of it just works (MS har har).Good article,and kudos to the devs no matter what the wannabees say. 2005-10-13 6:56 pm “This guy is a first class troll.”… and he’s also a first class developer. For example, he was mainly involved in developing CARP – and it’s just great.I think his argument isn’t trolling at all. It’s just a description of the way it is in Linux, i.e, you have to, explicitely, configure every peace of shit in the Linux kernel in order to make it work (modules, …). In contrast, OpenBSD takes this burden from the user by encouraging him to use the GENERIC kernel, which has enabled everything you need (at least for 99% of the user base). There’s just no need to tweak the kernel in order to break something.Another example: you don’t have to enable W^X, propolice and alle the other stack/heap protecting features in OpenBSD, because they all work out-of-the-box. Which Linux distro does enable so many user-transparent security features by default? 2005-10-13 7:01 pm Ever heard of flexibility? 2005-10-14 8:40 am Flexibility to be vulnerable? 2005-10-13 8:21 pm RahulIt’s just a description of the way it is in Linux, i.e, you have to, explicitely, configure every peace of shit in the Linux kernel in order to make it work (modules, …). In contrast, OpenBSD takes this burden from the user by encouraging him to use the GENERIC kernel, which has enabled everything you need (at least for 99% of the user base). There’s just no need to tweak the kernel in order to break something.Far from the truth, Linux kernel also includes a default configuration that is modular and works in a much more wider range of hardware. Distributions also integrate hotplug, hardware detection and configuration tools that makes it all work together. If there is a need to tweak the kernel its generally consider a bug and should be fixed. 2005-10-13 7:14 pm JonOHe critisized (sic) L1nux!!!!111 TROLL!!!!11 2005-10-13 7:45 pm Okay, I surrender, this was a good one 2005-10-13 8:10 pm The major problem with open BSD is the number of assholes it attracts. If you think it’s hard to ask a question in a linux newsgroup w/o having your ass flamed raw, try asking in an OpenBSD group/forum. Other than that, it’s a damn solid system. 2005-10-13 9:42 pm ClintonI don’t know if any OpenBSD dudes ever hang out at OSNews (kinda doubt it), but if they did, I’d like them to know that while OpenBSD is a great, secure OS for server tasks like subversion repositories, webservers, firewalls, database servers, etc., it is not the worlds most obvious desktop/workstation system (although it is perfectly able to perform as such). Also, as nice as OpenBSD is, it lacks performance and scalability as a server as well.Therefore, you are welcome to your haughty attitudes with regards to security. You deserve the recognition. However, it would do to have a bit more humility with regards to your Linux cousin since it outperforms OpenBSD and has been molded into one of the best desktop/workstation systems available by companies like Novell, Red Hat, and Canonical. 2005-10-13 9:50 pm Clinton,Good post jlc 2005-10-13 10:05 pm Who cares?OpenBSD focuses on security, not popularity contests. The goal of Red Hat is to cobble together an OS that will make them money. The goal of OBSD is produce a high quality, secure OS. 2005-10-13 11:29 pm OpenBSD focuses on security, not popularity contests. The goal of Red Hat is to cobble together an OS that will make them money. The goal of OBSD is produce a high quality, secure OS.Way to miss the entire point of my post. 2005-10-14 6:52 am Soulbender“Also, as nice as OpenBSD is, it lacks performance and scalability as a server as well.”These are just entirely unsubstantiated claims.“…Linux cousin since it outperforms OpenBSD”That depends entirely on what you measure, why you measure and how you measure.“…has been molded into one of the best desktop/workstation systems available”Aint that special. I’m sure that’s awesome for Linux but OpenBSD’s goal is not to be an everyman’s desktop OS nor was the article about desktop operating systems. 2005-10-14 2:22 pm Why do the linux advocates have such fragile egos?Every Design Team has to make a set of trade-off’s in design, based upon their experience and inclination.– Linux isn’t going to die next week, so, why the FEAR in the voices of the linux kooks?– Linux is free, it comes with the backing of Novell, Red Hat, IBM and a host of smaller companies.– Linux preforms well.– Linux is very secure, generally.BSD has a design group that is interested in SECURITY as it’s first priority. The BSD group ATTRACTS those people interested in an os who’s primary mission is security.Solaris has a bent toward reliability. ( DTrace for example. )Windows? Hmmm. Bent toward World dominiation.At OSNews readers should be able to discuss the passions of the design groups of these OS’s without the Linux guys coming in and DEFENDING linux from IMAGINARY ATTACKS. 2005-10-14 3:35 pm Its not that we can’t get along, its that whenever a OpenSource OS is mention that is not linux, the fans of that OS gather around and bash linux, or express their distaste for linux not doing things a certain way. Consider this thread for example. 2005-10-15 7:22 am Soulbender“…the fans of that OS gather around and bash linux…”The opposite is also true, ie Linux fans bashing other OS’s. 2005-10-15 11:48 am “my os is better than your os!” nuf said!?!move on and clean the fracking kitchen, whatever.