svn commit: r42215 - head/en_US.ISO8859-1/htdocs/news/status

Warren Block wblock at wonkity.com
Tue Jul 9 12:15:57 UTC 2013 

On Tue, 9 Jul 2013, Gabor Pali wrote:

> Author: pgj
> Date: Tue Jul  9 08:48:08 2013
> New Revision: 42215
> URL: http://svnweb.freebsd.org/changeset/doc/42215
>
> Log:
>  - Add a Q2 report on improved TCP SYN cookies
>
>  Submitted by:	andre
>
> Modified:
>  head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml
>
> Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml
> ==============================================================================
> --- head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml	Tue Jul  9 08:33:48 2013	(r42214)
> +++ head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml	Tue Jul  9 08:48:08 2013	(r42215)
> @@ -18,7 +18,7 @@
>
>     <!-- XXX: keep updating the number of entries -->
>     <p>Thanks to all the reporters for the excellent work!  This report
> -      contains 28 entries and we hope you enjoy reading it.</p>
> +      contains 29 entries and we hope you enjoy reading it.</p>
>
>     <!-- XXX: set date for the next set of submissions -->
>     <p>The deadline for submissions covering between July and September 2013
> @@ -1579,4 +1579,84 @@ functionality through <tt>pkg(8)</tt>.</
> 	and <tt>CAP_RECV_RIGHTS</tt>.</task>
>     </help>
>   </project>
> +
> +  <project cat='kern'>
> +    <title>Improved TCP SYN Cookies</title>
> +
> +    <contact>
> +      <person>
> +	<name>
> +	  <given>Andre</given>
> +	  <common>Oppermann</common>
> +	</name>
> +	<email>andre at FreeBSD.org</email>
> +      </person>
> +    </contact>
> +
> +    <links>
> +      <url href="http://docs.freebsd.org/cgi/getmsg.cgi?fetch=28838+0+current/freebsd-net">Description</url>
> +      <url href="http://people.freebsd.org/~andre/syncookie-20130708.diff">Patch</url>
> +    </links>
> +
> +    <body>
> +      <p>We have had a SYN cookie implementation for quite some time now
> +	but it has some limitations with current realities for window
> +	scaling and SACK encoding the in the few available bits.</p>
> +
> +      <p>This patch updates and improves SYN cookies mainly by:</p>
> +
> +      <ol>
> +	<li>Encoding of MSS, WSCALE (window scaling) and SACK into the
> +	  ISN (initial sequence number) without the use of timestamp
> +	  bits.</li>
> +
> +	<li>Switching to the very fast and cryptographically strong
> +	  SipHash-2-4 hash MAC algorithm to protect the SYN cookie
> +	  against forgery.</li>
> +      </ol>
> +
> +      <p>The common parameters used on TCP sessions have changed quite a
> +	bit since SYN cookies very invented some 17 years ago.  Today we

s/very/were/

> +	have a lot more bandwidth which makes the use window scaling

s/the use/use of/

> +	almost mandatory.  Also SACK has become standard as it makes
> +	recovering from packet loss much more efficient.</p>
> +
> +      <p>The original SYN cookies method only stored an indexed MSS
> +	values in the cookie.  This obviously is not sufficient anymore

s/values/value/
s/anymore/any more/

> +	and breaks in the presence of WSCALE.  WSCALE information is
> +	only exchanged during SYN and SYN-ACK.  If we cannot keep track
> +	of it then we severely underestimate the available send or
> +	receive window, compounded with the fact that with large window
> +	scaling the window size information on the TCP segment header
> +	would be even lower numerically.</p>
> +
> +      <p>A number of years back SYN cookies have been extended to store

s/back SYN/back, SYN/
s/have been/were/

> +	the additional state in the TCP timestamp fields, if available
> +	on a connection.  It has been adopted by Linux as well.  While
> +	timestamps are common among the BSD, Linux and other Unix
> +	systems, Windows never enabled them by default, thus they are
> +	not present for the vast majority of clients seen on the
> +	Internet.</p>
> +
> +      <p>The new improvement in this patch moves all necessary
> +	information into the ISN again removing the need for timestamps.

s/again removing/again, removing/

> +	Both the MSS and send WSCALE are stored in 3 bit indexed form
> +	together with a single bit for SACK.  While we cannot represent
> +	all possible MSS and WSCALE values, both are 16 bit fields in
> +	the TCP header, in only 3 bits each this, it turns out, is not
> +	actually necessary.</p>

That last sentence is very unclear.  I *think* it means

   "While we cannot represent all possible MSS and WSCALE values in
    only 3 bits each (both are 16 bit fields in the TCP header), it
    turns out that is not actually necessary.</p>"

> +      <p>These improvements allow one to run with SYN cookies only on
> +	Internet-facing servers.  However while SYN cookies are
> +	calculated and sent all the time, they are only used when the
> +	syn cache overflows due to attacks or overload.  In that cause

s/cause/case/

> +	though, you can rest assured that no significant degradation in
> +	TCP connection setup happens anymore and that even Windows

s/anymore/any more/

> +	clients can make use of window scaling and SACK.</p>
> +    </body>
> +
> +    <help>
> +      <task>Additional testing on busy servers.</task>
> +    </help>
> +  </project>
> </report>
>

Phew, almost done.  Sorry, and thanks!

More information about the svn-doc-all mailing list