From: David Miller <davem@davemloft.net>
To: cpaasch@apple.com
Cc: netdev@vger.kernel.org, edumazet@google.com, ycheng@google.com
Subject: Re: [PATCH net-next 0/5] tcp: Introduce a TFO key-pool for clean cookie-rotation
Date: Sun, 16 Dec 2018 12:19:52 -0800 (PST) [thread overview]
Message-ID: <20181216.121952.1167815839571774345.davem@davemloft.net> (raw)
In-Reply-To: <20181214224007.54813-1-cpaasch@apple.com>
From: Christoph Paasch <cpaasch@apple.com>
Date: Fri, 14 Dec 2018 14:40:02 -0800
> Currently, TFO only allows a single TFO-secret. This means that whenever
> the secret gets changed for key-rotation purposes, all the previously
> issued TFO-cookies become invalid. This means that clients will fallback
> to "regular" TCP, incurring a cost of one additional round-trip.
>
> This patchset introduces a TFO key-pool that allows to more gracefully
> change the key. The size of the pool is 2 (this could be changed in the
> future through a sysctl if needed). When a client connects with an "old"
> TFO cookie, the server will now accept the data in the SYN and at the
> same time announce a new TFO-cookie to the client.
>
> We have seen a significant reduction of LINUX_MIB_TCPFASTOPENPASSIVEFAIL
> thanks to these patches. Invalid cookies are now solely observed when
> clients behind a NAT are getting a new public IP.
Yuchung and Eric, please review.
next prev parent reply other threads:[~2018-12-16 20:19 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-14 22:40 [PATCH net-next 0/5] tcp: Introduce a TFO key-pool for clean cookie-rotation Christoph Paasch
2018-12-14 22:40 ` [PATCH net-next 1/5] tcp: Create list of TFO-contexts Christoph Paasch
2018-12-17 6:31 ` Eric Dumazet
2018-12-17 15:49 ` Christoph Paasch
2018-12-17 16:07 ` Eric Dumazet
2018-12-17 16:04 ` Eric Dumazet
2018-12-17 21:57 ` Christoph Paasch
2018-12-17 22:01 ` Eric Dumazet
2018-12-17 22:50 ` Christoph Paasch
2018-12-14 22:40 ` [PATCH net-next 2/5] tcp: TFO: search for correct cookie and accept data Christoph Paasch
2018-12-17 6:30 ` Eric Dumazet
2018-12-17 22:59 ` Christoph Paasch
2018-12-14 22:40 ` [PATCH net-next 3/5] tcp: Print list of TFO-keys from proc Christoph Paasch
2018-12-17 6:32 ` Eric Dumazet
2018-12-17 16:52 ` Yuchung Cheng
2018-12-17 23:35 ` Christoph Paasch
2018-12-17 23:49 ` Yuchung Cheng
2018-12-14 22:40 ` [PATCH net-next 4/5] tcp: Allow getsockopt of listener's keypool Christoph Paasch
2018-12-14 22:40 ` [PATCH net-next 5/5] tcp: TFO - cleanup code duplication Christoph Paasch
2018-12-17 6:33 ` Eric Dumazet
2018-12-18 0:16 ` Christoph Paasch
2018-12-16 20:19 ` David Miller [this message]
2018-12-17 5:54 ` [PATCH net-next 0/5] tcp: Introduce a TFO key-pool for clean cookie-rotation Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181216.121952.1167815839571774345.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=cpaasch@apple.com \
--cc=edumazet@google.com \
--cc=netdev@vger.kernel.org \
--cc=ycheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.