From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christoph Paasch Subject: [PATCH net-next 0/5] tcp: Introduce a TFO key-pool for clean cookie-rotation Date: Fri, 14 Dec 2018 14:40:02 -0800 Message-ID: <20181214224007.54813-1-cpaasch@apple.com> Content-Transfer-Encoding: 7BIT Cc: Eric Dumazet , Yuchung Cheng , David Miller To: netdev@vger.kernel.org Return-path: Received: from nwk-aaemail-lapp02.apple.com ([17.151.62.67]:49964 "EHLO nwk-aaemail-lapp02.apple.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729803AbeLNWkl (ORCPT ); Fri, 14 Dec 2018 17:40:41 -0500 Sender: netdev-owner@vger.kernel.org List-ID: Currently, TFO only allows a single TFO-secret. This means that whenever the secret gets changed for key-rotation purposes, all the previously issued TFO-cookies become invalid. This means that clients will fallback to "regular" TCP, incurring a cost of one additional round-trip. This patchset introduces a TFO key-pool that allows to more gracefully change the key. The size of the pool is 2 (this could be changed in the future through a sysctl if needed). When a client connects with an "old" TFO cookie, the server will now accept the data in the SYN and at the same time announce a new TFO-cookie to the client. We have seen a significant reduction of LINUX_MIB_TCPFASTOPENPASSIVEFAIL thanks to these patches. Invalid cookies are now solely observed when clients behind a NAT are getting a new public IP. Christoph Paasch (5): tcp: Create list of TFO-contexts tcp: TFO: search for correct cookie and accept data tcp: Print list of TFO-keys from proc tcp: Allow getsockopt of listener's keypool tcp: TFO - cleanup code duplication include/net/tcp.h | 2 + include/uapi/linux/snmp.h | 1 + net/ipv4/proc.c | 1 + net/ipv4/sysctl_net_ipv4.c | 41 +++++++--- net/ipv4/tcp.c | 15 ++-- net/ipv4/tcp_fastopen.c | 192 +++++++++++++++++++++++++++++++++++---------- 6 files changed, 193 insertions(+), 59 deletions(-) -- 2.16.2