From: "Michael T. Babcock" <mbabcock@fibrespeed.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Re: [release] ipsysctl tutorial 1.0.1
Date: Tue, 29 Oct 2002 14:32:23 +0000 [thread overview]
Message-ID: <marc-lartc-103590208904485@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103539326825533@msgid-missing>
Oskar Andreasson wrote:
>My question hence is, how is the state of syn cookies today? How does it
>actually affect SACK, T/TCP, ECN, and other new extensions? That's what I
>want to find out before making a more final statement in the document.
>(erh, ok it sounds kind of final as it looks right now, but I want to
>check it up at least before doing any final statements).
>
According to the netfilter documentation at
<http://logi.cc/linux/netfilter-log-format.php3>, you should always have
SYN cookies on with publically accessible TCP ports (log analysis page,
fwiw).
Paper on advanced TCP algorithms:
http://www.google.ca/search?q che:vVQeUAOMmnoC:www.ce.chalmers.se/staff/otel/papers-mine/tcp-improvements/TCP-improvements.ps+linux+syn+cookies+ecn+sack&hl=en&ie=UTF-8
Advantages and flaws of T/TCP:
http://www.linuxgazette.com/issue47/stacey.html
"SYN cookies were implemented in the Linux kernel to combat this
attack. It involves sending a cookie to the sender to verify the
connection is valid. SYN cookies cause problems with T/TCP as no TCP
options are sent in the cookie and any data arriving in the initial SYN
can't be used immediately. The CC option in T/TCP does provide some
protection on its own, but it is not secure enough."
Mailing list discussion on cookies and T/TCP from 1998:
http://www.uwsg.iu.edu/hypermail/linux/kernel/9804.1/0650.html
FWIW, could the kernel code that uses T/TCP automagically disable SYN
cookies for those packets?
--
Michael T. Babcock
C.T.O., FibreSpeed Ltd.
http://www.fibrespeed.net/~mbabcock
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2002-10-29 14:32 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-23 17:13 [LARTC] Re: [release] ipsysctl tutorial 1.0.1 bert hubert
2002-10-23 18:39 ` Oskar Andreasson
2002-10-23 18:59 ` Michael T. Babcock
2002-10-24 17:56 ` Oskar Andreasson
2002-10-24 23:33 ` Michael T. Babcock
2002-10-28 19:55 ` Don Cohen
2002-10-28 20:16 ` Michael T. Babcock
2002-10-28 20:26 ` bert hubert
2002-10-28 20:31 ` Michael T. Babcock
2002-10-28 21:27 ` Oskar Andreasson
2002-10-29 14:32 ` Michael T. Babcock [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-103590208904485@msgid-missing \
--to=mbabcock@fibrespeed.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox