cvs commit: src/sys/netinet tcp_syncache.c

Andre Oppermann andre at
Thu Jan 24 02:57:41 PST 2008

Mike Silbersack wrote:
> On Wed, 23 Jan 2008, Andre Oppermann wrote:
>> OTOH the enforcement of this rule wasn't really there before and it
>> may be argued that we've got a POLA violation here.  A careful reading
> That's exactly the point.  We were not enforcing timestamps since... 
> whenever the RFC1323 code went in.  Then we start enforcing them, and 
> start getting bug reports while we're still in the beta phase.  That 
> indicates to me that we would've been likely to see many reports as time 
> went on.

I'm complaining about not fixing or modifying the test.  The rationale
and comments to the change are not correct and a different fix would
be more appropriate.

> If you want to put the check back in, but hide it behind a sysctl that 
> is disabled by default, that would be ok with me.

The check is fine.  However in the edge case it should not cause the
connection to be aborted but it should disable timestamps locally.
There is no point in sending them if they do not get returned.

> I'm not generally opposed to security improvements that only affect edge 
> cases... but being unable to connect is not an edge case!

Fully agreed.  I'll reopen the PR and follow up with the originator
to do some further analysis.  All operating system he cites that were
unable to connect correctly send timestamps and do not stop after
the SYN phase.  So there must be something else at play here.  Have
you received or heart of any *other* reports that may be related to
the timestamp check?


More information about the cvs-src mailing list