From: Glenn Griffin <ggriffin.kernel@gmail.com>
To: Glenn Griffin <ggriffin.kernel@gmail.com>
Cc: David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/3] Support arbitrary initial TCP timestamps
Date: Tue, 19 Feb 2008 10:02:38 -0800 [thread overview]
Message-ID: <47bb17d7.28d7720a.526b.6a8e@mx.google.com> (raw)
In-Reply-To: <20080218164723.GA13941@fin>
> > Adding yet another member to the already bloated tcp_sock structure to
> > implement this is too high a cost.
>
> Yes, I was worried that would be deemed too high of a cost, but it was
> the most efficient way I could think to accomplish what I wanted.
>
> > I would instead prefer that there be some global random number
> > calculated when the first TCP socket is created, and use that as a
> > global offset. You can even recompute it every few hours if you
> > like.
>
> That would work fine if my mine purpose was to randomize the tcp
> timestamp to mitigate the leak in information regarding uptime, but
> despite the brief description, that's only a side effect of what I
> intended to do. What I wanted was a way to be able to choose an initial
> tcp timestamp for a particular connection that was not tied directly to
> jiffies.
>
> The two patches following this show my intended use case. I intend to
> enhance syncookie support to allow it to support advanced tcp options
> (sack and window scaling). Normally syncookies encode the bare minimum
> state of a connection in the ISN they choose, but the 32bit ISN isn't
> enough to encode advanced tcp options so you are left with a working but
> crippled tcp stack during a synflood attack. If in addition to choosing
> an ISN we are able to choose an initial tcp timestamp, we are then able
> to encode an additional 32 bits of information that can contain more of
> the advanced tcp options.
Perhaps I should clarify. I don't see a way to implement the additional
syncookie enhancements without storing an offset in some type of
per-socket structure. Given that, is it still deemed too high of a cost?
Is enhancing syncookies not deemed important enough to warrant the
additional 4 bytes? What if there was an additional config variable to
support arbitrary/random tcp timestamps, and then syncookies only used
the additional options when that setting was chosen? Is there some
possiblity I'm missing that could get this feature in a form suitable
for inclusion? Thanks.
--Glenn
prev parent reply other threads:[~2008-02-19 17:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-15 17:47 [PATCH 1/3] Support arbitrary initial TCP timestamps Glenn Griffin
2008-02-15 17:47 ` [PATCH 2/3] Enable the use of TCP options with syncookies Glenn Griffin
2008-02-15 17:47 ` [PATCH 3/3] Add IPv6 Support to TCP SYN cookies Glenn Griffin
2008-02-18 7:33 ` [PATCH 1/3] Support arbitrary initial TCP timestamps David Miller
2008-02-18 22:46 ` Glenn Griffin
2008-02-19 18:02 ` Glenn Griffin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47bb17d7.28d7720a.526b.6a8e@mx.google.com \
--to=ggriffin.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.