[LARTC] Re: [release] ipsysctl tutorial 1.0.1

[LARTC] Re: [release] ipsysctl tutorial 1.0.1

[bert hubert]

On Wed, Oct 23, 2002 at 05:47:07PM +0200, Oskar Andreasson wrote:

> First of all, I hope this is no inconvenience to anyone, but I thought it 
> may be of interest to some people on the netdev mailinglist as well.
> Just to inform people who may be interested, the ipsysctl tutorial has 
> been released in a new version at http://ipsysctl-tutorial.frozentux.net. 
> 
I added a link to your pages to the HOWTO. Other lartc readers may also find
your work interesting, check it out!

Regards,

bert hubert

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: [release] ipsysctl tutorial 1.0.1

[Oskar Andreasson]

On Wed, 23 Oct 2002, bert hubert wrote:

> On Wed, Oct 23, 2002 at 05:47:07PM +0200, Oskar Andreasson wrote:
> 
> > First of all, I hope this is no inconvenience to anyone, but I thought it 
> > may be of interest to some people on the netdev mailinglist as well.
> > Just to inform people who may be interested, the ipsysctl tutorial has 
> > been released in a new version at http://ipsysctl-tutorial.frozentux.net. 
> > 
> I added a link to your pages to the HOWTO. Other lartc readers may also find
> your work interesting, check it out!
> 

Thanks, very much appreciated:)

----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: [release] ipsysctl tutorial 1.0.1

[Michael T. Babcock]

Oskar Andreasson wrote:

>>>may be of interest to some people on the netdev mailinglist as well.
>>>Just to inform people who may be interested, the ipsysctl tutorial has 
>>>been released in a new version at http://ipsysctl-tutorial.frozentux.net. 
>>>      
>>>
I'd like to ask for some clarifications, if not quoting, in the tutorial 
on page x321.html (not sure of section numbers) re: syn cookies.

Dan Bernstein (everyone's favorite mathematician :-) ) makes it very 
clear on http://cr.yp.to/syncookies.html that your warnings are 
primarily FUD.  For the sake of quoting:

A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry 
Metzger) have been spreading misinformation about SYN cookies. Here are 
some of their bogus claims:

    * SYN cookies ``present serious violation of TCP protocol.''
      Reality: SYN cookies are fully compliant with the TCP protocol.
      Every packet sent by a SYN-cookie server is something that could
      also have been sent by a non-SYN-cookie server.
    * SYN cookies ``do not allow to use TCP extensions'' such as large
      windows. Reality: SYN cookies don't hurt TCP extensions. A
      connection saved by SYN cookies can't use large windows; but the
      same is true without SYN cookies, because the connection would
      have been destroyed.
    * SYN cookies cause ``massive hanging connections.'' Reality: With
      or without SYN cookies, connections occasionally hang because a
      computer or network is overloaded. Applications deal with this by
      simply dropping idle connections.
    * SYN cookies cause ``serious degradation of service.'' Reality: SYN
      cookies /improve/ service. They do take a small amount of CPU time
      to compute, but that CPU time has to be spent anyway for
      hard-to-predict sequence numbers; see RFC 1948.
    * SYN cookies cause ``magic resets.'' Reality: SYN cookies never
      cause resets.

These people also have the annoying habit of crediting their bogus 
claims to other people, such as me. I don't know whether to attribute 
this to malice or stupidity; either way, I would like the record to be 
set straight.

I invited Kuznetsov to either retract or defend his claims. He refused 
to do so. I'm sure he's aware by now that his claims are false, and that 
any attempted defense will be promptly ripped to shreds; but he's still 
not admitting his errors. It's unfortunate that he doesn't have more 
respect for the truth.

I also invited Akkerman to either retract or defend his claims. He did 
not respond.

-- 
Michael T. Babcock
C.T.O., FibreSpeed Ltd.
http://www.fibrespeed.net/~mbabcock


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: [release] ipsysctl tutorial 1.0.1

[Oskar Andreasson]

Hi Michael,

In short, I took Alexey on his words on this matter since I didn't know 
about the statements below...

However, I notice one _big_ if in the page you are referring to, which by 
the way is quite old (dated circa 1996). Take a look at this page which is 
linked from the document you showed:

http://cr.yp.to/syncookies/archive

According to this, we must turn off SACK and T/TCP for it to work:

"4. TCP options such as RFC1323, SACK and T/TCP options cannot be used."

Nowhere does the documents explain how these problems can be solved (I 
haven't read the whole document yet, so I may burst out prematurely... but 
I wanted to respond to your questions:)).

I will look closer on this and see if there's any more up to date 
information on the matter, what happens with SACK etc if SYN cookies are 
turned on (may take a while, I will need to check the source code as 
usual I expect=)).

On Wed, 23 Oct 2002, Michael T. Babcock wrote:

> Oskar Andreasson wrote:
> 
> >>>may be of interest to some people on the netdev mailinglist as well.
> >>>Just to inform people who may be interested, the ipsysctl tutorial has 
> >>>been released in a new version at http://ipsysctl-tutorial.frozentux.net. 
> >>>      
> >>>
> I'd like to ask for some clarifications, if not quoting, in the tutorial 
> on page x321.html (not sure of section numbers) re: syn cookies.
> 
> Dan Bernstein (everyone's favorite mathematician :-) ) makes it very 
> clear on http://cr.yp.to/syncookies.html that your warnings are 
> primarily FUD.  For the sake of quoting:
> 
> A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry 
> Metzger) have been spreading misinformation about SYN cookies. Here are 
> some of their bogus claims:
> 
>     * SYN cookies ``present serious violation of TCP protocol.''
>       Reality: SYN cookies are fully compliant with the TCP protocol.
>       Every packet sent by a SYN-cookie server is something that could
>       also have been sent by a non-SYN-cookie server.
>     * SYN cookies ``do not allow to use TCP extensions'' such as large
>       windows. Reality: SYN cookies don't hurt TCP extensions. A
>       connection saved by SYN cookies can't use large windows; but the
>       same is true without SYN cookies, because the connection would
>       have been destroyed.
>     * SYN cookies cause ``massive hanging connections.'' Reality: With
>       or without SYN cookies, connections occasionally hang because a
>       computer or network is overloaded. Applications deal with this by
>       simply dropping idle connections.
>     * SYN cookies cause ``serious degradation of service.'' Reality: SYN
>       cookies /improve/ service. They do take a small amount of CPU time
>       to compute, but that CPU time has to be spent anyway for
>       hard-to-predict sequence numbers; see RFC 1948.
>     * SYN cookies cause ``magic resets.'' Reality: SYN cookies never
>       cause resets.
> 
> These people also have the annoying habit of crediting their bogus 
> claims to other people, such as me. I don't know whether to attribute 
> this to malice or stupidity; either way, I would like the record to be 
> set straight.
> 
> I invited Kuznetsov to either retract or defend his claims. He refused 
> to do so. I'm sure he's aware by now that his claims are false, and that 
> any attempted defense will be promptly ripped to shreds; but he's still 
> not admitting his errors. It's unfortunate that he doesn't have more 
> respect for the truth.
> 
> I also invited Akkerman to either retract or defend his claims. He did 
> not respond.
> 
> 

-- 
----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: [release] ipsysctl tutorial 1.0.1

[Michael T. Babcock]

Oskar Andreasson wrote:

>However, I notice one _big_ if in the page you are referring to, which by 
>the way is quite old (dated circa 1996). 
>
I have a distinct feeling that many IP based protocols don't change a 
lot within these types of timespans.  Look at how long IPv6 is taking to 
deploy.

>"4. TCP options such as RFC1323, SACK and T/TCP options cannot be used."
>
>Nowhere does the documents explain how these problems can be solved (I 
>haven't read the whole document yet, so I may burst out prematurely... but 
>I wanted to respond to your questions:)).
>
I would assume that those options use bits in the packet header that SYN 
cookies also use and therefore make unpredictable.  I'm not sure either 
though.  FWIW, I've run all my machines 2.2.x and up with SYN cookies 
turned on with no (known) ill effects; PCs and servers alike.

-- 
Michael T. Babcock
C.T.O., FibreSpeed Ltd.
http://www.fibrespeed.net/~mbabcock


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: [release] ipsysctl tutorial 1.0.1

[Don Cohen]

 > I'd like to ask for some clarifications, if not quoting, in the tutorial 
 > on page x321.html (not sure of section numbers) re: syn cookies.

I don't understand what the question is here.

 > Dan Bernstein (everyone's favorite mathematician :-) ) makes it very 

I was not aware of that.

 > clear on http://cr.yp.to/syncookies.html that your warnings are 
 > primarily FUD.  For the sake of quoting:
 > A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry 
 > Metzger) have been spreading misinformation about SYN cookies. Here are 
 > some of their bogus claims:

I was also not aware of any such controversy, but I think the points
below are correct.

 >     * SYN cookies ``present serious violation of TCP protocol.''
 >       Reality: SYN cookies are fully compliant with the TCP protocol.
 >       Every packet sent by a SYN-cookie server is something that could
 >       also have been sent by a non-SYN-cookie server.
 >     * SYN cookies ``do not allow to use TCP extensions'' such as large
 >       windows. Reality: SYN cookies don't hurt TCP extensions. A
 >       connection saved by SYN cookies can't use large windows; but the
 >       same is true without SYN cookies, because the connection would
 >       have been destroyed.
 >     * SYN cookies cause ``massive hanging connections.'' Reality: With
 >       or without SYN cookies, connections occasionally hang because a
 >       computer or network is overloaded. Applications deal with this by
 >       simply dropping idle connections.
 >     * SYN cookies cause ``serious degradation of service.'' Reality: SYN
 >       cookies /improve/ service. They do take a small amount of CPU time
 >       to compute, but that CPU time has to be spent anyway for
 >       hard-to-predict sequence numbers; see RFC 1948.
 >     * SYN cookies cause ``magic resets.'' Reality: SYN cookies never
 >       cause resets.
 > 
 > These people also have the annoying habit of crediting their bogus 
 > claims to other people, such as me. I don't know whether to attribute 
 > this to malice or stupidity; either way, I would like the record to be 
 > set straight.
 > 
 > I invited Kuznetsov to either retract or defend his claims. He refused 
 > to do so. I'm sure he's aware by now that his claims are false, and that 
 > any attempted defense will be promptly ripped to shreds; but he's still 
 > not admitting his errors. It's unfortunate that he doesn't have more 
 > respect for the truth.
 > 
 > I also invited Akkerman to either retract or defend his claims. He did 
 > not respond.
 > 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: [release] ipsysctl tutorial 1.0.1

[Michael T. Babcock]

Don Cohen wrote:

> > I'd like to ask for some clarifications, if not quoting, in the tutorial 
> > on page x321.html (not sure of section numbers) re: syn cookies.
>
>I don't understand what the question is here.
>
It isn't a question (thus the lack of question mark).  I asked for 
either a clarification or a quotation of the page mentionned in the FAQ 
to avoid confusion (or add some?) about syn cookies.

> > Dan Bernstein (everyone's favorite mathematician :-) ) makes it very 
>
>I was not aware of that.
>
DJB, as he is known, tends to be a bit strong minded and has a habit of 
thinking that everyone should want what he wants.  He also has a 
tendancy to write secure software and is a pretty good number cruncher 
too (has his own hash library, does cryptography, etc.)  Some love him, 
some hate him, but if you search for 'DJB' on Google, I'm sure you'll 
find plenty.

>I was also not aware of any such controversy, but I think the points
>below are correct.
>
I have a good feeling they're correct too, since I've been using syn 
cookies "forever" now without any problems of which I'm aware.  I'm 
surprised those mentionned haven't said anything (or that I haven't read 
it yet) that contradicts DJB (who was involved in the design of SYN 
cookies).

-- 
Michael T. Babcock
C.T.O., FibreSpeed Ltd.
http://www.fibrespeed.net/~mbabcock


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: [release] ipsysctl tutorial 1.0.1

[bert hubert]

On Mon, Oct 28, 2002 at 03:16:45PM -0500, Michael T. Babcock wrote:
> It isn't a question (thus the lack of question mark).  I asked for 
> either a clarification or a quotation of the page mentionned in the FAQ 
> to avoid confusion (or add some?) about syn cookies.

Please keep this stuff off lartc.org. There has been enough flaming
regarding SYN cookies and whatnot. 

I actually know some of the people mentioned on DJBs page in real life and
they are bone tired of it all too.

So give it a rest. Please do not respond to this message

Regards,

Bert Hubert
Your Kind List Administrator

-- 
http://www.PowerDNS.com          Versatile DNS Software & Services
http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: [release] ipsysctl tutorial 1.0.1

[Michael T. Babcock]

bert hubert wrote:

>Please keep this stuff off lartc.org. There has been enough flaming
>regarding SYN cookies and whatnot. 
>

Put that on the mailing list FAQ then; otherwise its fair game.

>I actually know some of the people mentioned on DJBs page in real life and
>they are bone tired of it all too.
>

I'm not quite convinced that my being tired of something or not prevents 
you from telling me I'm wrong about something or requesting discussion 
about it -- especially when its material relevant to the subject of the 
list.  PS, assuming they are tired of it, why have I never seen a good 
(well-prepared / documented) commentary on the issue from any of them? 
 However,

>So give it a rest. Please do not respond to this message
>

Obviously, I replied -- but I'm sure you expected as much when you sent 
your message.  You're free of course to boot me from the list if you 
feel that my desiring clarification on a long-standing issue (in two 
whole messages; three with this one) is too much for you to handle.  In 
case you're wondering, I'm not much of a DJB supporter myself, but I do 
appreciate (and usually demand) accuracy, especially where it affects my 
servers and my work.  FUD, on either side, is not appreciated, in the 
least, nor is complete silence.

>Your Kind List Administrator
>
-- 
Michael T. Babcock
C.T.O., FibreSpeed Ltd.
http://www.fibrespeed.net/~mbabcock


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: [release] ipsysctl tutorial 1.0.1

[Oskar Andreasson]

On Mon, 28 Oct 2002, Don Cohen wrote:

> 
>  > I'd like to ask for some clarifications, if not quoting, in the tutorial 
>  > on page x321.html (not sure of section numbers) re: syn cookies.
> 
> I don't understand what the question is here.

The question is that I state that turning on syncookies may wreak havoc on 
the TCP stack, which Dan Bernstein totally disagrees with. 

> 
>  > Dan Bernstein (everyone's favorite mathematician :-) ) makes it very 
> 
> I was not aware of that.

Well, he is rather interesting:). Has a lot of interesting ideas and 
was/is the original author of qmail and tinydns and a couple of other 
projects if I am not totally off base. According to himself, he has 
published some 200k rows of code/text online.

> 
>  > clear on http://cr.yp.to/syncookies.html that your warnings are 
>  > primarily FUD.  For the sake of quoting:
>  > A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry 
>  > Metzger) have been spreading misinformation about SYN cookies. Here are 
>  > some of their bogus claims:
> 
> I was also not aware of any such controversy, but I think the points
> below are correct.

To an extent, but... most of what he is using to prove his point on that 
page is taken from 1996, and in computer terms, that is ancient:). 

My main doubts are neither of the below points actually, but the fact that 
syn cookies seem to shred up SACK and T/TCP support. In 1996 this was no 
problem since it wasn't implemented in Linux, but today it is... and 
turned on per default...

My question hence is, how is the state of syn cookies today? How does it 
actually affect SACK, T/TCP, ECN, and other new extensions? That's what I 
want to find out before making a more final statement in the document. 
(erh, ok it sounds kind of final as it looks right now, but I want to 
check it up at least before doing any final statements).

> 
>  >     * SYN cookies ``present serious violation of TCP protocol.''
>  >       Reality: SYN cookies are fully compliant with the TCP protocol.
>  >       Every packet sent by a SYN-cookie server is something that could
>  >       also have been sent by a non-SYN-cookie server.
>  >     * SYN cookies ``do not allow to use TCP extensions'' such as large
>  >       windows. Reality: SYN cookies don't hurt TCP extensions. A
>  >       connection saved by SYN cookies can't use large windows; but the
>  >       same is true without SYN cookies, because the connection would
>  >       have been destroyed.
>  >     * SYN cookies cause ``massive hanging connections.'' Reality: With
>  >       or without SYN cookies, connections occasionally hang because a
>  >       computer or network is overloaded. Applications deal with this by
>  >       simply dropping idle connections.
>  >     * SYN cookies cause ``serious degradation of service.'' Reality: SYN
>  >       cookies /improve/ service. They do take a small amount of CPU time
>  >       to compute, but that CPU time has to be spent anyway for
>  >       hard-to-predict sequence numbers; see RFC 1948.
>  >     * SYN cookies cause ``magic resets.'' Reality: SYN cookies never
>  >       cause resets.
>  > 
>  > These people also have the annoying habit of crediting their bogus 
>  > claims to other people, such as me. I don't know whether to attribute 
>  > this to malice or stupidity; either way, I would like the record to be 
>  > set straight.
>  > 
>  > I invited Kuznetsov to either retract or defend his claims. He refused 
>  > to do so. I'm sure he's aware by now that his claims are false, and that 
>  > any attempted defense will be promptly ripped to shreds; but he's still 
>  > not admitting his errors. It's unfortunate that he doesn't have more 
>  > respect for the truth.
>  > 
>  > I also invited Akkerman to either retract or defend his claims. He did 
>  > not respond.
>  > 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

-- 
----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: [release] ipsysctl tutorial 1.0.1

[Michael T. Babcock]

Oskar Andreasson wrote:

>My question hence is, how is the state of syn cookies today? How does it 
>actually affect SACK, T/TCP, ECN, and other new extensions? That's what I 
>want to find out before making a more final statement in the document. 
>(erh, ok it sounds kind of final as it looks right now, but I want to 
>check it up at least before doing any final statements).
>

According to the netfilter documentation at 
<http://logi.cc/linux/netfilter-log-format.php3>, you should always have 
SYN cookies on with publically accessible TCP ports (log analysis page, 
fwiw).

Paper on advanced TCP algorithms:
http://www.google.ca/search?q che:vVQeUAOMmnoC:www.ce.chalmers.se/staff/otel/papers-mine/tcp-improvements/TCP-improvements.ps+linux+syn+cookies+ecn+sack&hl=en&ie=UTF-8

Advantages and flaws of T/TCP:
http://www.linuxgazette.com/issue47/stacey.html
    "SYN cookies were implemented in the Linux kernel to combat this 
attack. It involves sending a cookie to the sender to verify the 
connection is valid. SYN cookies cause problems with T/TCP as no TCP 
options are sent in the cookie and any data arriving in the initial SYN 
can't be used immediately. The CC option in T/TCP does provide some 
protection on its own, but it is not secure enough."

Mailing list discussion on cookies and T/TCP from 1998:
http://www.uwsg.iu.edu/hypermail/linux/kernel/9804.1/0650.html


FWIW, could the kernel code that uses T/TCP automagically disable SYN 
cookies for those packets?

-- 
Michael T. Babcock
C.T.O., FibreSpeed Ltd.
http://www.fibrespeed.net/~mbabcock


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/