From: Jiri Bohac <jbohac@suse.cz>
To: Florian Westphal <fw@strlen.de>
Cc: Jiri Bohac <jbohac@suse.cz>, Jakob Lell <jakob@jakoblell.com>,
netdev@vger.kernel.org, davem@davemloft.net
Subject: Re: [PATCH 2/3] [RFC] TCP syncookies: introduce sysctl to configure the MSS tables
Date: Tue, 27 Aug 2013 14:55:51 +0200 [thread overview]
Message-ID: <20130827125551.GA1195@midget.suse.cz> (raw)
In-Reply-To: <20130816214057.GE5154@breakpoint.cc>
On Fri, Aug 16, 2013 at 11:40:57PM +0200, Florian Westphal wrote:
> Jiri Bohac <jbohac@suse.cz> wrote:
> > (compile-tested only)
> >
> > This patch introduces two new sysctls
> > net.ipv4.tcp_syncookies_mss_table
> > net.ipv6.tcp_syncookies_mss_table
> > to manipulate the TCP syncookie MSS tables
>
> The cookie MSS table is small to begin with; trying
> to find values that fit all possible clients is a losing game.
not all servers talk to all the clients. I can imagine some may run very
specific services with very specific packet sizes. Having the MSS
values configurable can't hurt.
> I cannot think of any scenarios where 2 machines, connected
> to internet, could have different mss tables whilst _both_
> improving the default values?
The recently disclosed syncookies vulnerability has differrent
impact on differrent servers.
Some services are secure enough at application level and don't
care at all about TCP connection spoofing. These can use the
sysctl to revert back to the MSS table we have now (or anyting
that better serves their traffic).
Other services are not so secure and some MSS values can be
sacrified to mitigate the risk. With a smaller MSS table, tuning
the values for specific traffic may make even more sense.
--
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, SUSE CZ
next prev parent reply other threads:[~2013-08-27 12:55 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-13 13:57 Quick Blind TCP Connection Spoofing with SYN Cookies Jakob Lell
2013-08-14 21:02 ` some one
2013-08-15 23:57 ` Jiri Bohac
2013-08-16 0:00 ` [PATCH 1/3] [RFC] TCP syncookies: slow down timer to mitigate spoofing attacks Jiri Bohac
2013-08-16 0:34 ` Neal Cardwell
2013-08-16 8:20 ` [PATCH v2 " Jiri Bohac
2013-08-16 21:47 ` [PATCH " Florian Westphal
2013-08-16 0:03 ` [PATCH 2/3] [RFC] TCP syncookies: introduce sysctl to configure the MSS tables Jiri Bohac
2013-08-16 21:40 ` Florian Westphal
2013-08-27 12:55 ` Jiri Bohac [this message]
2013-08-16 0:05 ` [PATCH 3/3] [RFC] TCP syncookies: only allow 3 MSS values by default to mitigate spoofing attacks Jiri Bohac
2013-08-16 21:31 ` Florian Westphal
2013-08-27 13:52 ` Jiri Bohac
2013-08-16 9:21 ` Quick Blind TCP Connection Spoofing with SYN Cookies Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130827125551.GA1195@midget.suse.cz \
--to=jbohac@suse.cz \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=jakob@jakoblell.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.