From: Eric Dumazet <edumazet@google.com>
To: zhaoya.gaius@bytedance.com
Cc: David Miller <davem@davemloft.net>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Florian Westphal <fw@strlen.de>
Subject: Re: [PATCH] tcp: fix silent loss when syncookie is trigered
Date: Fri, 16 Apr 2021 13:52:10 +0200 [thread overview]
Message-ID: <CANn89iJ5-4u98sGXt6oH5ZbWGFcYCy3T-B+qktvm3-cMkFQXKA@mail.gmail.com> (raw)
In-Reply-To: <20210416105142.38149-1-zhaoya.gaius@bytedance.com>
On Fri, Apr 16, 2021 at 12:52 PM zhaoya <zhaoya.gaius@bytedance.com> wrote:
>
> When syncookie is triggered, since $MSSID is spliced into cookie and
> the legal index of msstab is 0,1,2,3, this gives client 3 bytes
> of freedom, resulting in at most 3 bytes of silent loss.
>
> C ------------seq=12345-------------> S
> C <------seq=cookie/ack=12346-------- S S generated the cookie
> [RFC4987 Appendix A]
> C ---seq=123456/ack=cookie+1-->X S The first byte was loss.
> C -----seq=123457/ack=cookie+1------> S The second byte was received and
> cookie-check was still okay and
> handshake was finished.
> C <--------seq=.../ack=12348--------- S acknowledge the second byte.
I think this has been discussed in the past :
https://kognitio.com/blog/syn-cookies-ate-my-dog-breaking-tcp-on-linux/
If I remember well, this can not be fixed "easily"
I suspect you are trading one minor issue with another (which is
considered more practical these days)
Have you tried what happens if the server receives an out-of-order
packet after the SYN & SYN-ACK ?
The answer is : RST packet is sent, killing the session.
That is the reason why sseq is not part of the hash key.
In practice, secure connexions are using a setup phase where more than
3 bytes are sent in the first packet.
We recommend using secure protocols over TCP. (prefer HTTPS over HTTP,
SSL over plaintext)
Your change would severely impair servers under DDOS ability to really
establish flows.
Now, if your patch is protected by a sysctl so that admins can choose
the preferred behavior, then why not...
next parent reply other threads:[~2021-04-16 11:52 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210416105142.38149-1-zhaoya.gaius@bytedance.com>
2021-04-16 11:52 ` Eric Dumazet [this message]
2021-04-16 22:45 ` [External] Re: [PATCH] tcp: fix silent loss when syncookie is trigered 赵亚
2021-04-17 4:58 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANn89iJ5-4u98sGXt6oH5ZbWGFcYCy3T-B+qktvm3-cMkFQXKA@mail.gmail.com \
--to=edumazet@google.com \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
--cc=zhaoya.gaius@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.