cvs commit: src/sys/netinet tcp_input.c tcp_output.c tcp_syncache.c tcp_var.h

Andre Oppermann andre at FreeBSD.org
Wed Sep 13 06:08:31 PDT 2006


andre       2006-09-13 13:08:27 UTC

  FreeBSD src repository

  Modified files:
    sys/netinet          tcp_input.c tcp_output.c tcp_syncache.c 
                         tcp_var.h 
  Log:
  Rewrite of TCP syncookies to remove locking requirements and to enhance
  functionality:
  
   - Remove a rwlock aquisition/release per generated syncookie.  Locking
     is now integrated with the bucket row locking of syncache itself and
     syncookies no longer add any additional lock overhead.
   - Syncookie secrets are different for and stored per syncache buck row.
     Secrets expire after 16 seconds and are reseeded on-demand.
   - The computational overhead for syncookie generation and verification
     is one MD5 hash computation as before.
   - Syncache can be turned off and run with syncookies only by setting the
     sysctl net.inet.tcp.syncookies_only=1.
  
  This implementation extends the orginal idea and first implementation
  of FreeBSD by using not only the initial sequence number field to store
  information but also the timestamp field if present.  This way we can
  keep track of the entire state we need to know to recreate the session in
  its original form.  Almost all TCP speakers implement RFC1323 timestamps
  these days.  For those that do not we still have to live with the known
  shortcomings of the ISN only SYN cookies.  The use of the timestamp field
  causes the timestamps to be randomized if syncookies are enabled.
  
  The idea of SYN cookies is to encode and include all necessary information
  about the connection setup state within the SYN-ACK we send back and thus
  to get along without keeping any local state until the ACK to the SYN-ACK
  arrives (if ever).  Everything we need to know should be available from
  the information we encoded in the SYN-ACK.
  
  A detailed description of the inner working of the syncookies mechanism
  is included in the comments in tcp_syncache.c.
  
  Reviewed by:    silby (slightly earlier version)
  Sponsored by:   TCP/IP Optimization Fundraise 2005
  
  Revision  Changes    Path
  1.307     +16 -6     src/sys/netinet/tcp_input.c
  1.117     +1 -1      src/sys/netinet/tcp_output.c
  1.99      +278 -192  src/sys/netinet/tcp_syncache.c
  1.137     +5 -4      src/sys/netinet/tcp_var.h


More information about the cvs-src mailing list