From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Dumazet Subject: Re: updates to syncookies - timestamps not needed any more (freebsd) Date: Fri, 12 Jul 2013 07:32:43 -0700 Message-ID: <1373639563.10804.10.camel@edumazet-glaptop> References: <20130708160421.GA9763@order.stressinduktion.org> <20130711.165726.2168148122875413191.davem@davemloft.net> <20130712084145.GJ27468@breakpoint.cc> <1373637885.10804.7.camel@edumazet-glaptop> <20130712142521.GA22686@breakpoint.cc> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Cc: David Miller , hannes@stressinduktion.org, netdev@vger.kernel.org To: Florian Westphal Return-path: Received: from mail-pa0-f47.google.com ([209.85.220.47]:42112 "EHLO mail-pa0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757178Ab3GLOcp (ORCPT ); Fri, 12 Jul 2013 10:32:45 -0400 Received: by mail-pa0-f47.google.com with SMTP id kl14so9066423pab.34 for ; Fri, 12 Jul 2013 07:32:45 -0700 (PDT) In-Reply-To: <20130712142521.GA22686@breakpoint.cc> Sender: netdev-owner@vger.kernel.org List-ID: On Fri, 2013-07-12 at 16:25 +0200, Florian Westphal wrote: > Eric Dumazet wrote: > > On Fri, 2013-07-12 at 10:41 +0200, Florian Westphal wrote: > > > > > The main difference to what linux does is to avoid encoding the 'count' > > > value (Linux doesn't reseed secret[], and relies on count to detect old > > > cookies). > > > > > > Not having the counter frees up space to encode tcp options in the cookie > > > instead of the timestamp. > > > > But still wscale and sack options are disabled. > > Yes, in Linux sack and wscale will be encoded in the timestamp, as > cookie is already restricted to 24 bits due to counter. > > Without the counter, that could be changed to allow sack/wscale even > with ts off. Another quick hack would be to allow sack being generated by the client. If we receive sackOK in SYN, then syncookie SYNACK could contain sackOK, if timestamps are not used. Client would be allowed to use SACK in his ACK. Server would not generate SACK, but would process incoming SACK. Not sure what could break ?