All of lore.kernel.org
 help / color / mirror / Atom feed
From: Christoph Paasch <cpaasch@apple.com>
To: Eric Dumazet <edumazet@google.com>
Cc: David Miller <davem@davemloft.net>,
	netdev <netdev@vger.kernel.org>,
	Yuchung Cheng <ycheng@google.com>
Subject: Re: [PATCH net-next] tcp: Enable TFO without a cookie on a per-socket basis
Date: Tue, 17 Oct 2017 09:49:50 -0700	[thread overview]
Message-ID: <20171017164950.GH73751@Chimay.local> (raw)
In-Reply-To: <CANn89i+50uOGyyNKd8HMsPuZpmxFpsj28gHc7LAV_0BL9NpkEQ@mail.gmail.com>

On 17/10/17 - 04:00:01, Eric Dumazet wrote:
> On Mon, Oct 16, 2017 at 11:37 PM, Christoph Paasch <cpaasch@apple.com> wrote:
> > We already allow to enable TFO without a cookie by using the
> > fastopen-sysctl and setting it to TFO_SERVER_COOKIE_NOT_REQD (0x200).
> > This is safe to do in certain environments where we know that there
> > isn't a malicous host (aka., data-centers).
> >
> > A server however might be talking to both sides (public Internet and
> > data-center). So, this server would want to enable cookie-less TFO for
> > the connections that go to the data-center while enforcing cookies for
> > the traffic from the Internet.
> >
> > This patch exposes a socket-option to enable this (protected by
> > CAP_NET_ADMIN).
> 
> Have you thought instead of a route attribute ?

Another use-case for per-socket configuration is where the application-level
protocol already provides an authentication mechanism in the first flight of
data so that the cookie basically becomes redundant. In that case, it is
useful to configure it on a per-socket basis if other services are running
on this server as well.

I can of course add the route attribute in the v2, but I think the sockopt has
its use-case as well.

> CAP_NET_ADMIN restriction is not really practical IMO.

I'm fine with removing it.

I added it because an unpreviliged user could more easily mount an
amplification attack. But that is probably quite a stretch :)


Christoph

  reply	other threads:[~2017-10-17 16:49 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-17  6:37 [PATCH net-next] tcp: Enable TFO without a cookie on a per-socket basis Christoph Paasch
2017-10-17 11:00 ` Eric Dumazet
2017-10-17 16:49   ` Christoph Paasch [this message]
2017-10-17 17:26 ` Yuchung Cheng
2017-10-17 17:42   ` Christoph Paasch

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171017164950.GH73751@Chimay.local \
    --to=cpaasch@apple.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=netdev@vger.kernel.org \
    --cc=ycheng@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.