Extended SYN cookies
Fernando Gont
fernando at gont.com.ar
Tue Jun 22 09:18:18 UTC 2010
Hi, folks,
I have a few questions wrt the FreeBSD TCP extended syncookies. I'm
quoting the explanation in the code:
> * Timestamp we send:
> * 31|................................|0
> * DDDDDDDDDDDDDDDDDDDDDDSSSSRRRRA5
> * D = MD5 Digest (third dword) (only as filler)
What about the second MD5 dword? -- It doesn't seem to be used anywhere...
> * S = Requested send window scale
> * R = Requested receive window scale
What's this snd_window rcv_window thing? I mean, why do you need to
include in the cookie the TCP wscale option *you* adverised? Isn't it
expected to be the same in all cases?
> * A = SACK allowed
> * 5 = TCP-MD5 enabled (not implemented yet)
> * XORed with MD5 Digest (forth dword)
Any reason for XOR'ing the timestamp with the MD5 Digest?
> * The timestamp isn't cryptographically secure and doesn't need to be.
What's the motivator of this comment? MD5 itself (used here) being
cryptographically weak, or what?
> * Some problems with SYN cookies remain however:
> * Consider the problem of a recreated (and retransmitted) cookie. If the
> * original SYN was accepted, the connection is established. The second
> * SYN is inflight, and if it arrives with an ISN that falls within the
> * receive window, the connection is killed.
What do you mean by "recreated", specifically?
Thanks!
Kind regards,
--
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
More information about the freebsd-net
mailing list