* updates to syncookies - timestamps not needed any more (freebsd) @ 2013-07-08 16:04 Hannes Frederic Sowa 2013-07-08 16:39 ` Eric Dumazet 2013-07-11 23:57 ` David Miller 0 siblings, 2 replies; 19+ messages in thread From: Hannes Frederic Sowa @ 2013-07-08 16:04 UTC (permalink / raw) To: netdev Interesting patch by Andre Opperann of FreeBSD: <http://lists.freebsd.org/pipermail/freebsd-net/2013-July/035999.html> Greetings, Hannes ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-08 16:04 updates to syncookies - timestamps not needed any more (freebsd) Hannes Frederic Sowa @ 2013-07-08 16:39 ` Eric Dumazet 2013-07-08 18:09 ` Hannes Frederic Sowa 2013-07-11 23:57 ` David Miller 1 sibling, 1 reply; 19+ messages in thread From: Eric Dumazet @ 2013-07-08 16:39 UTC (permalink / raw) To: Hannes Frederic Sowa; +Cc: netdev On Mon, 2013-07-08 at 18:04 +0200, Hannes Frederic Sowa wrote: > Interesting patch by Andre Opperann of FreeBSD: > <http://lists.freebsd.org/pipermail/freebsd-net/2013-July/035999.html> > > Greetings, Switching from SHA to SipHash would be nice, if SipHash is secure enough. (We do not use MD5 but SHA for syncookies) ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-08 16:39 ` Eric Dumazet @ 2013-07-08 18:09 ` Hannes Frederic Sowa 0 siblings, 0 replies; 19+ messages in thread From: Hannes Frederic Sowa @ 2013-07-08 18:09 UTC (permalink / raw) To: Eric Dumazet; +Cc: netdev On Mon, Jul 08, 2013 at 09:39:38AM -0700, Eric Dumazet wrote: > On Mon, 2013-07-08 at 18:04 +0200, Hannes Frederic Sowa wrote: > > Interesting patch by Andre Opperann of FreeBSD: > > <http://lists.freebsd.org/pipermail/freebsd-net/2013-July/035999.html> > > > > Greetings, > > > Switching from SHA to SipHash would be nice, if SipHash is secure > enough. > > (We do not use MD5 but SHA for syncookies) Blake2[0] came to my mind when I read this. It is by one of the same authors as SipHash. [0] https://blake2.net/ Greetings, Hannes ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-08 16:04 updates to syncookies - timestamps not needed any more (freebsd) Hannes Frederic Sowa 2013-07-08 16:39 ` Eric Dumazet @ 2013-07-11 23:57 ` David Miller 2013-07-12 1:41 ` Hannes Frederic Sowa 2013-07-12 8:41 ` Florian Westphal 1 sibling, 2 replies; 19+ messages in thread From: David Miller @ 2013-07-11 23:57 UTC (permalink / raw) To: hannes; +Cc: netdev From: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Mon, 8 Jul 2013 18:04:21 +0200 > Interesting patch by Andre Opperann of FreeBSD: > <http://lists.freebsd.org/pipermail/freebsd-net/2013-July/035999.html> Interesting work, but outside of the change of hash function I'm not so sure. The whole reason we went to the timestamp field was to eliminate the coarse tables. I understand that he claims that %99.99 of connections are handled by the values he has chosen, but this is still a step backwards in my opinion. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-11 23:57 ` David Miller @ 2013-07-12 1:41 ` Hannes Frederic Sowa 2013-07-12 2:25 ` Eric Dumazet ` (2 more replies) 2013-07-12 8:41 ` Florian Westphal 1 sibling, 3 replies; 19+ messages in thread From: Hannes Frederic Sowa @ 2013-07-12 1:41 UTC (permalink / raw) To: David Miller; +Cc: netdev On Thu, Jul 11, 2013 at 04:57:26PM -0700, David Miller wrote: > From: Hannes Frederic Sowa <hannes@stressinduktion.org> > Date: Mon, 8 Jul 2013 18:04:21 +0200 > > > Interesting patch by Andre Opperann of FreeBSD: > > <http://lists.freebsd.org/pipermail/freebsd-net/2013-July/035999.html> > > Interesting work, but outside of the change of hash function I'm not so > sure. The whole reason we went to the timestamp field was to eliminate > the coarse tables. > > I understand that he claims that %99.99 of connections are handled by > the values he has chosen, but this is still a step backwards in my > opinion. If I understood this thread[0] correctly, it seems Windows 8 might not enable TCP timestamps by default? I can not verify, I currently have no Windows installations near me. That would mean, linux does, too, fall back to an unscaled window connection as soon as syncookies kick in (but we would not end up with an unsynchronized window scale option). [0] http://thread.gmane.org/gmane.os.freebsd.devel.net/38211/focus=38216 Greetings, Hannes ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 1:41 ` Hannes Frederic Sowa @ 2013-07-12 2:25 ` Eric Dumazet 2013-07-12 6:59 ` richard -rw- weinberger 2013-07-12 7:24 ` David Miller 2 siblings, 0 replies; 19+ messages in thread From: Eric Dumazet @ 2013-07-12 2:25 UTC (permalink / raw) To: Hannes Frederic Sowa; +Cc: David Miller, netdev On Fri, 2013-07-12 at 03:41 +0200, Hannes Frederic Sowa wrote: > If I understood this thread[0] correctly, it seems Windows 8 might not > enable TCP timestamps by default? Who cares about Windows 8 anyway ? ;) ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 1:41 ` Hannes Frederic Sowa 2013-07-12 2:25 ` Eric Dumazet @ 2013-07-12 6:59 ` richard -rw- weinberger 2013-07-12 15:22 ` Rick Jones 2013-07-12 7:24 ` David Miller 2 siblings, 1 reply; 19+ messages in thread From: richard -rw- weinberger @ 2013-07-12 6:59 UTC (permalink / raw) To: David Miller, netdev On Fri, Jul 12, 2013 at 3:41 AM, Hannes Frederic Sowa <hannes@stressinduktion.org> wrote: > On Thu, Jul 11, 2013 at 04:57:26PM -0700, David Miller wrote: >> From: Hannes Frederic Sowa <hannes@stressinduktion.org> >> Date: Mon, 8 Jul 2013 18:04:21 +0200 >> >> > Interesting patch by Andre Opperann of FreeBSD: >> > <http://lists.freebsd.org/pipermail/freebsd-net/2013-July/035999.html> >> >> Interesting work, but outside of the change of hash function I'm not so >> sure. The whole reason we went to the timestamp field was to eliminate >> the coarse tables. >> >> I understand that he claims that %99.99 of connections are handled by >> the values he has chosen, but this is still a step backwards in my >> opinion. > > If I understood this thread[0] correctly, it seems Windows 8 might not > enable TCP timestamps by default? I can not verify, I currently have > no Windows installations near me. That would mean, linux does, too, > fall back to an unscaled window connection as soon as syncookies kick in > (but we would not end up with an unsynchronized window scale option). My Windows 8 workstations here have it disabled by default. -- Thanks, //richard ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 6:59 ` richard -rw- weinberger @ 2013-07-12 15:22 ` Rick Jones 2013-07-12 16:18 ` Eric Dumazet 0 siblings, 1 reply; 19+ messages in thread From: Rick Jones @ 2013-07-12 15:22 UTC (permalink / raw) To: richard -rw- weinberger; +Cc: David Miller, netdev On 07/11/2013 11:59 PM, richard -rw- weinberger wrote: > My Windows 8 workstations here have it disabled by default. Do they enable window scaling? rick jones ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 15:22 ` Rick Jones @ 2013-07-12 16:18 ` Eric Dumazet 2013-07-12 16:33 ` Rick Jones 0 siblings, 1 reply; 19+ messages in thread From: Eric Dumazet @ 2013-07-12 16:18 UTC (permalink / raw) To: Rick Jones; +Cc: richard -rw- weinberger, David Miller, netdev On Fri, 2013-07-12 at 08:22 -0700, Rick Jones wrote: > On 07/11/2013 11:59 PM, richard -rw- weinberger wrote: > > My Windows 8 workstations here have it disabled by default. > > Do they enable window scaling? Yes, they do. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 16:18 ` Eric Dumazet @ 2013-07-12 16:33 ` Rick Jones 2013-07-12 17:00 ` Eric Dumazet 0 siblings, 1 reply; 19+ messages in thread From: Rick Jones @ 2013-07-12 16:33 UTC (permalink / raw) To: Eric Dumazet; +Cc: richard -rw- weinberger, David Miller, netdev On 07/12/2013 09:18 AM, Eric Dumazet wrote: > On Fri, 2013-07-12 at 08:22 -0700, Rick Jones wrote: >> On 07/11/2013 11:59 PM, richard -rw- weinberger wrote: >>> My Windows 8 workstations here have it disabled by default. >> >> Do they enable window scaling? > > Yes, they do. Tsk, tsk, tsk... or am I believing too strongly in the importance of protection against wrapped sequence numbers? rick jones ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 16:33 ` Rick Jones @ 2013-07-12 17:00 ` Eric Dumazet 0 siblings, 0 replies; 19+ messages in thread From: Eric Dumazet @ 2013-07-12 17:00 UTC (permalink / raw) To: Rick Jones; +Cc: richard -rw- weinberger, David Miller, netdev On Fri, 2013-07-12 at 09:33 -0700, Rick Jones wrote: > Tsk, tsk, tsk... or am I believing too strongly in the importance of > protection against wrapped sequence numbers? Presumably Microsoft do not expect their machines being able to transfer TCP at high speed... ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 1:41 ` Hannes Frederic Sowa 2013-07-12 2:25 ` Eric Dumazet 2013-07-12 6:59 ` richard -rw- weinberger @ 2013-07-12 7:24 ` David Miller 2 siblings, 0 replies; 19+ messages in thread From: David Miller @ 2013-07-12 7:24 UTC (permalink / raw) To: hannes; +Cc: netdev From: Hannes Frederic Sowa <hannes@stressinduktion.org> Date: Fri, 12 Jul 2013 03:41:38 +0200 > If I understood this thread[0] correctly, it seems Windows 8 might not > enable TCP timestamps by default? That is true, and my opinion of the situation took this into consideration. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-11 23:57 ` David Miller 2013-07-12 1:41 ` Hannes Frederic Sowa @ 2013-07-12 8:41 ` Florian Westphal 2013-07-12 14:04 ` Eric Dumazet 1 sibling, 1 reply; 19+ messages in thread From: Florian Westphal @ 2013-07-12 8:41 UTC (permalink / raw) To: David Miller; +Cc: hannes, netdev David Miller <davem@davemloft.net> wrote: > From: Hannes Frederic Sowa <hannes@stressinduktion.org> > Date: Mon, 8 Jul 2013 18:04:21 +0200 > > > Interesting patch by Andre Opperann of FreeBSD: > > <http://lists.freebsd.org/pipermail/freebsd-net/2013-July/035999.html> > > Interesting work, but outside of the change of hash function I'm not so > sure. The whole reason we went to the timestamp field was to eliminate > the coarse tables. > > I understand that he claims that %99.99 of connections are handled by > the values he has chosen, but this is still a step backwards in my > opinion. The main difference to what linux does is to avoid encoding the 'count' value (Linux doesn't reseed secret[], and relies on count to detect old cookies). Not having the counter frees up space to encode tcp options in the cookie instead of the timestamp. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 8:41 ` Florian Westphal @ 2013-07-12 14:04 ` Eric Dumazet 2013-07-12 14:25 ` Florian Westphal 2013-07-26 6:45 ` Hannes Frederic Sowa 0 siblings, 2 replies; 19+ messages in thread From: Eric Dumazet @ 2013-07-12 14:04 UTC (permalink / raw) To: Florian Westphal; +Cc: David Miller, hannes, netdev On Fri, 2013-07-12 at 10:41 +0200, Florian Westphal wrote: > The main difference to what linux does is to avoid encoding the 'count' > value (Linux doesn't reseed secret[], and relies on count to detect old > cookies). > > Not having the counter frees up space to encode tcp options in the cookie > instead of the timestamp. But still wscale and sack options are disabled. lpq83:~# echo 0 >/proc/sys/net/ipv4/tcp_timestamps lpq83:~# tcpdump -p -n -s 0 -i eth4 07:03:37.337563 IP 7.7.7.84.64131 > 7.7.7.83.22: S 1523884225:1523884225(0) win 29200 <mss 1460,sackOK,timestamp 74412758 0,nop,wscale 6> 07:03:37.337588 IP 7.7.7.83.22 > 7.7.7.84.64131: S 572330188:572330188(0) ack 1523884226 win 29200 <mss 1460> 07:03:37.337647 IP 7.7.7.84.64131 > 7.7.7.83.22: . ack 1 win 29200 BTW, following patch allows to test more easily syncookies behavior. If sysctl_tcp_syncookies is set to 2, we always use syncookies. diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 35675e4..590659e 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1462,7 +1462,8 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb) * limitations, they conserve resources and peer is * evidently real one. */ - if (inet_csk_reqsk_queue_is_full(sk) && !isn) { + if ((sysctl_tcp_syncookies == 2 || + inet_csk_reqsk_queue_is_full(sk)) && !isn) { want_cookie = tcp_syn_flood_action(sk, skb, "TCP"); if (!want_cookie) goto drop; ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 14:04 ` Eric Dumazet @ 2013-07-12 14:25 ` Florian Westphal 2013-07-12 14:32 ` Eric Dumazet 2013-07-26 6:45 ` Hannes Frederic Sowa 1 sibling, 1 reply; 19+ messages in thread From: Florian Westphal @ 2013-07-12 14:25 UTC (permalink / raw) To: Eric Dumazet; +Cc: Florian Westphal, David Miller, hannes, netdev Eric Dumazet <eric.dumazet@gmail.com> wrote: > On Fri, 2013-07-12 at 10:41 +0200, Florian Westphal wrote: > > > The main difference to what linux does is to avoid encoding the 'count' > > value (Linux doesn't reseed secret[], and relies on count to detect old > > cookies). > > > > Not having the counter frees up space to encode tcp options in the cookie > > instead of the timestamp. > > But still wscale and sack options are disabled. Yes, in Linux sack and wscale will be encoded in the timestamp, as cookie is already restricted to 24 bits due to counter. Without the counter, that could be changed to allow sack/wscale even with ts off. > BTW, following patch allows to test more easily syncookies behavior. > > If sysctl_tcp_syncookies is set to 2, we always use syncookies. I think this change would be useful. > --- a/net/ipv4/tcp_ipv4.c > +++ b/net/ipv4/tcp_ipv4.c > @@ -1462,7 +1462,8 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb) > * limitations, they conserve resources and peer is > * evidently real one. > */ > - if (inet_csk_reqsk_queue_is_full(sk) && !isn) { > + if ((sysctl_tcp_syncookies == 2 || > + inet_csk_reqsk_queue_is_full(sk)) && !isn) { > want_cookie = tcp_syn_flood_action(sk, skb, "TCP"); > if (!want_cookie) ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 14:25 ` Florian Westphal @ 2013-07-12 14:32 ` Eric Dumazet 2013-07-12 23:37 ` David Miller 0 siblings, 1 reply; 19+ messages in thread From: Eric Dumazet @ 2013-07-12 14:32 UTC (permalink / raw) To: Florian Westphal; +Cc: David Miller, hannes, netdev On Fri, 2013-07-12 at 16:25 +0200, Florian Westphal wrote: > Eric Dumazet <eric.dumazet@gmail.com> wrote: > > On Fri, 2013-07-12 at 10:41 +0200, Florian Westphal wrote: > > > > > The main difference to what linux does is to avoid encoding the 'count' > > > value (Linux doesn't reseed secret[], and relies on count to detect old > > > cookies). > > > > > > Not having the counter frees up space to encode tcp options in the cookie > > > instead of the timestamp. > > > > But still wscale and sack options are disabled. > > Yes, in Linux sack and wscale will be encoded in the timestamp, as > cookie is already restricted to 24 bits due to counter. > > Without the counter, that could be changed to allow sack/wscale even > with ts off. Another quick hack would be to allow sack being generated by the client. If we receive sackOK in SYN, then syncookie SYNACK could contain sackOK, if timestamps are not used. Client would be allowed to use SACK in his ACK. Server would not generate SACK, but would process incoming SACK. Not sure what could break ? ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 14:32 ` Eric Dumazet @ 2013-07-12 23:37 ` David Miller 0 siblings, 0 replies; 19+ messages in thread From: David Miller @ 2013-07-12 23:37 UTC (permalink / raw) To: eric.dumazet; +Cc: fw, hannes, netdev From: Eric Dumazet <eric.dumazet@gmail.com> Date: Fri, 12 Jul 2013 07:32:43 -0700 > Another quick hack would be to allow sack being generated by the client. > > If we receive sackOK in SYN, then syncookie SYNACK could contain sackOK, > if timestamps are not used. > > Client would be allowed to use SACK in his ACK. Server would not > generate SACK, but would process incoming SACK. > > Not sure what could break ? This seems quite clumsy and would result in being able to use SACK only in one direction. There has to be a better way. ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-12 14:04 ` Eric Dumazet 2013-07-12 14:25 ` Florian Westphal @ 2013-07-26 6:45 ` Hannes Frederic Sowa 2013-07-26 12:56 ` Eric Dumazet 1 sibling, 1 reply; 19+ messages in thread From: Hannes Frederic Sowa @ 2013-07-26 6:45 UTC (permalink / raw) To: Eric Dumazet; +Cc: Florian Westphal, David Miller, netdev Hi Eric! On Fri, Jul 12, 2013 at 07:04:45AM -0700, Eric Dumazet wrote: > BTW, following patch allows to test more easily syncookies behavior. > > If sysctl_tcp_syncookies is set to 2, we always use syncookies. > > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c > index 35675e4..590659e 100644 > --- a/net/ipv4/tcp_ipv4.c > +++ b/net/ipv4/tcp_ipv4.c > @@ -1462,7 +1462,8 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb) > * limitations, they conserve resources and peer is > * evidently real one. > */ > - if (inet_csk_reqsk_queue_is_full(sk) && !isn) { > + if ((sysctl_tcp_syncookies == 2 || > + inet_csk_reqsk_queue_is_full(sk)) && !isn) { > want_cookie = tcp_syn_flood_action(sk, skb, "TCP"); > if (!want_cookie) > goto drop; > While cleaning up my patch directory I found this snippet. Perhaps you could send it for inclusion for net-next? Three nice additions: a similar change in tcp_ipv6.c and perhaps get rid of the warning messages printed to the console in case of syncookies == 2? A small update to ip-sysctl.txt wouldn't hurt either. If you want to, I can take it and refresh it. Thanks, Hannes ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: updates to syncookies - timestamps not needed any more (freebsd) 2013-07-26 6:45 ` Hannes Frederic Sowa @ 2013-07-26 12:56 ` Eric Dumazet 0 siblings, 0 replies; 19+ messages in thread From: Eric Dumazet @ 2013-07-26 12:56 UTC (permalink / raw) To: Hannes Frederic Sowa; +Cc: Florian Westphal, David Miller, netdev On Fri, 2013-07-26 at 08:45 +0200, Hannes Frederic Sowa wrote: > Hi Eric! Hi Hannes > While cleaning up my patch directory I found this snippet. Perhaps you > could send it for inclusion for net-next? Three nice additions: a similar > change in tcp_ipv6.c and perhaps get rid of the warning messages printed > to the console in case of syncookies == 2? A small update to ip-sysctl.txt > wouldn't hurt either. > > If you want to, I can take it and refresh it. That would be a good idea, as I am currently traveling ;) Thanks ! ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2013-07-26 12:56 UTC | newest] Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2013-07-08 16:04 updates to syncookies - timestamps not needed any more (freebsd) Hannes Frederic Sowa 2013-07-08 16:39 ` Eric Dumazet 2013-07-08 18:09 ` Hannes Frederic Sowa 2013-07-11 23:57 ` David Miller 2013-07-12 1:41 ` Hannes Frederic Sowa 2013-07-12 2:25 ` Eric Dumazet 2013-07-12 6:59 ` richard -rw- weinberger 2013-07-12 15:22 ` Rick Jones 2013-07-12 16:18 ` Eric Dumazet 2013-07-12 16:33 ` Rick Jones 2013-07-12 17:00 ` Eric Dumazet 2013-07-12 7:24 ` David Miller 2013-07-12 8:41 ` Florian Westphal 2013-07-12 14:04 ` Eric Dumazet 2013-07-12 14:25 ` Florian Westphal 2013-07-12 14:32 ` Eric Dumazet 2013-07-12 23:37 ` David Miller 2013-07-26 6:45 ` Hannes Frederic Sowa 2013-07-26 12:56 ` Eric Dumazet
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).