svn commit: r42215 - head/en_US.ISO8859-1/htdocs/news/status
Warren Block
wblock at wonkity.com
Tue Jul 9 12:15:57 UTC 2013
On Tue, 9 Jul 2013, Gabor Pali wrote:
> Author: pgj
> Date: Tue Jul 9 08:48:08 2013
> New Revision: 42215
> URL: http://svnweb.freebsd.org/changeset/doc/42215
>
> Log:
> - Add a Q2 report on improved TCP SYN cookies
>
> Submitted by: andre
>
> Modified:
> head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml
>
> Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml
> ==============================================================================
> --- head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml Tue Jul 9 08:33:48 2013 (r42214)
> +++ head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml Tue Jul 9 08:48:08 2013 (r42215)
> @@ -18,7 +18,7 @@
>
> <!-- XXX: keep updating the number of entries -->
> <p>Thanks to all the reporters for the excellent work! This report
> - contains 28 entries and we hope you enjoy reading it.</p>
> + contains 29 entries and we hope you enjoy reading it.</p>
>
> <!-- XXX: set date for the next set of submissions -->
> <p>The deadline for submissions covering between July and September 2013
> @@ -1579,4 +1579,84 @@ functionality through <tt>pkg(8)</tt>.</
> and <tt>CAP_RECV_RIGHTS</tt>.</task>
> </help>
> </project>
> +
> + <project cat='kern'>
> + <title>Improved TCP SYN Cookies</title>
> +
> + <contact>
> + <person>
> + <name>
> + <given>Andre</given>
> + <common>Oppermann</common>
> + </name>
> + <email>andre at FreeBSD.org</email>
> + </person>
> + </contact>
> +
> + <links>
> + <url href="http://docs.freebsd.org/cgi/getmsg.cgi?fetch=28838+0+current/freebsd-net">Description</url>
> + <url href="http://people.freebsd.org/~andre/syncookie-20130708.diff">Patch</url>
> + </links>
> +
> + <body>
> + <p>We have had a SYN cookie implementation for quite some time now
> + but it has some limitations with current realities for window
> + scaling and SACK encoding the in the few available bits.</p>
> +
> + <p>This patch updates and improves SYN cookies mainly by:</p>
> +
> + <ol>
> + <li>Encoding of MSS, WSCALE (window scaling) and SACK into the
> + ISN (initial sequence number) without the use of timestamp
> + bits.</li>
> +
> + <li>Switching to the very fast and cryptographically strong
> + SipHash-2-4 hash MAC algorithm to protect the SYN cookie
> + against forgery.</li>
> + </ol>
> +
> + <p>The common parameters used on TCP sessions have changed quite a
> + bit since SYN cookies very invented some 17 years ago. Today we
s/very/were/
> + have a lot more bandwidth which makes the use window scaling
s/the use/use of/
> + almost mandatory. Also SACK has become standard as it makes
> + recovering from packet loss much more efficient.</p>
> +
> + <p>The original SYN cookies method only stored an indexed MSS
> + values in the cookie. This obviously is not sufficient anymore
s/values/value/
s/anymore/any more/
> + and breaks in the presence of WSCALE. WSCALE information is
> + only exchanged during SYN and SYN-ACK. If we cannot keep track
> + of it then we severely underestimate the available send or
> + receive window, compounded with the fact that with large window
> + scaling the window size information on the TCP segment header
> + would be even lower numerically.</p>
> +
> + <p>A number of years back SYN cookies have been extended to store
s/back SYN/back, SYN/
s/have been/were/
> + the additional state in the TCP timestamp fields, if available
> + on a connection. It has been adopted by Linux as well. While
> + timestamps are common among the BSD, Linux and other Unix
> + systems, Windows never enabled them by default, thus they are
> + not present for the vast majority of clients seen on the
> + Internet.</p>
> +
> + <p>The new improvement in this patch moves all necessary
> + information into the ISN again removing the need for timestamps.
s/again removing/again, removing/
> + Both the MSS and send WSCALE are stored in 3 bit indexed form
> + together with a single bit for SACK. While we cannot represent
> + all possible MSS and WSCALE values, both are 16 bit fields in
> + the TCP header, in only 3 bits each this, it turns out, is not
> + actually necessary.</p>
That last sentence is very unclear. I *think* it means
"While we cannot represent all possible MSS and WSCALE values in
only 3 bits each (both are 16 bit fields in the TCP header), it
turns out that is not actually necessary.</p>"
> + <p>These improvements allow one to run with SYN cookies only on
> + Internet-facing servers. However while SYN cookies are
> + calculated and sent all the time, they are only used when the
> + syn cache overflows due to attacks or overload. In that cause
s/cause/case/
> + though, you can rest assured that no significant degradation in
> + TCP connection setup happens anymore and that even Windows
s/anymore/any more/
> + clients can make use of window scaling and SACK.</p>
> + </body>
> +
> + <help>
> + <task>Additional testing on busy servers.</task>
> + </help>
> + </project>
> </report>
>
Phew, almost done. Sorry, and thanks!
More information about the svn-doc-all
mailing list