[PATCH][RESEND] Update of tcp_syncookies explanation

[PATCH][RESEND] Update of tcp_syncookies explanation

[Oskar Andreasson]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1371 bytes --]

Hi David, Alexey, et al.

This is a patch that fixes/updates the tcp_syncookies explanation in the 
linux/Documentation/networking/ip-sysctl.txt document. 

Basically it reduces some of the "big red lights" set up about using this 
specific feature, and instead explains in more detail why the user should 
be careful about using the syncookies option. 

If anyone has any objections against this patch, please tell me so, with 
an explanation of why! 

[slightly off-topic explanation] 

It seems I got caught in the crossfire between two camps when I started
writing the ipsysctl-tutorial at ipsysctl-tutorial.frozentux.net and at 
first I received some rather nasty mails about not warning enough about 
the syncookies option, so I changed it, at which point I received some 
more poison from the other side for warning about the option at all. 

Hence, my decision has been to walk somewhere on the borderline by simply 
explaining the option, what it does, how it works, and what the cons are, 
without taking up too much space in the kernelspace. 

I believe this is what would be best for the kernel documentation as well. 
If anyone disagrees, see above, send me a mail explaining why you 
disagree.

Thanks!

----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net

[-- Attachment #2: Type: TEXT/PLAIN, Size: 1950 bytes --]

diff -ur linux-2.4.19/Documentation/networking/ip-sysctl.txt linux-2.4.19.new/Documentation/networking/ip-sysctl.txt
--- linux-2.4.19/Documentation/networking/ip-sysctl.txt	Sat Aug  3 02:39:42 2002
+++ linux-2.4.19.new/Documentation/networking/ip-sysctl.txt	Sun Nov 10 18:13:26 2002
@@ -162,7 +162,7 @@
 	overflows. This is to prevent against the common 'syn flood attack'
 	Default: FALSE
 
-	Note, that syncookies is fallback facility.
+	Note, that syncookies is a fallback facility.
 	It MUST NOT be used to help highly loaded servers to stand
 	against legal connection rate. If you see synflood warnings
 	in your logs, but investigation	shows that they occur
@@ -170,12 +170,18 @@
 	another parameters until this warning disappear.
 	See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.
 
-	syncookies seriously violate TCP protocol, do not allow
-	to use TCP extensions, can result in serious degradation
-	of some services (f.e. SMTP relaying), visible not by you,
-	but your clients and relays, contacting you. While you see
-	synflood warnings in logs not being really flooded, your server
-	is seriously misconfigured.
+	The tcp_syncookies option means that when the machine has more than 
+	tcp_max_syn_backlog SYN packets in the queue, it will revert to 
+	sending out SYN cookies. tcp_syncookies depends on a specifically 
+	grafted TCP Sequence number, which the SYN flooder must guess the 
+	correct number of, unless he is actually receiving the SYN/ACK to
+	himself. 
+
+	When SYN cookies are used, all newly opened connections will be unable
+	to use any advanced features like ECN, SACK or Timestamps. This may 
+	result in serious degradation of some services, and if you see 
+	synflood warnings in your logs, but you are not being flooded, your 
+	server may be misconfigured.
 
 tcp_stdurg - BOOLEAN
 	Use the Host requirements interpretation of the TCP urg pointer field.

Re: [PATCH][RESEND] Update of tcp_syncookies explanation

[David S. Miller]

   From: Oskar Andreasson <blueflux@koffein.net>
   Date: Tue, 1 Apr 2003 19:33:13 +0200 (CEST)

   If anyone has any objections against this patch, please tell me so, with 
   an explanation of why! 
   
You didn't explain how TCP syncookies "seriously violates the TCP
protocol" yet you choose to remove that statement written by Alexey.

Either retain Alexey's statement (because it's true) or replace it
with proper text.

I'm not going into the details of how syncookies violates the TCP
protocol here, that has been hashed out many times on netdev and
linux-net years in the past, so I direct people to search up such
discussions instead of starting up yet another flame war here about
the topic.  Thanks.

Re: [PATCH][RESEND] Update of tcp_syncookies explanation

[Oskar Andreasson]

Hi David,

Thanks for the reply! It was much appreciated, and I will do what I can to 
iron any problems out. (Also, I am very sorry for putting you or anyone 
else out there)

My final question is this... could you give any tip on what specifics to 
look/search for? I've been searching through the archives available at 
http://oss.sgi.com/projects/netdev/archive/ for every single inclusion of 
SYN in any of the archives by now, but could not find any specifics on 
_what_ the syn cookies breaks, or why, except for ECN, SACK and 
timestamps:/. 

I have also checked through the source code as well as I could, as well as
Mr. Bernsteins algorithms, searched the net at large with 3 search 
engines... and I am still not clever enough to figure it out.

In short, what I am trying to ask for is simply some kind of hints on
where to look... I hope you don't mind. 

Thanks!

PS. David, sorry for sending this in private before, no bad intentions 
meant. DS.

On Tue, 1 Apr 2003, David S. Miller wrote:

>    From: Oskar Andreasson <blueflux@koffein.net>
>    Date: Tue, 1 Apr 2003 19:33:13 +0200 (CEST)
> 
>    If anyone has any objections against this patch, please tell me so, with 
>    an explanation of why! 
>    
> You didn't explain how TCP syncookies "seriously violates the TCP
> protocol" yet you choose to remove that statement written by Alexey.
> 
> Either retain Alexey's statement (because it's true) or replace it
> with proper text.
> 
> I'm not going into the details of how syncookies violates the TCP
> protocol here, that has been hashed out many times on netdev and
> linux-net years in the past, so I direct people to search up such
> discussions instead of starting up yet another flame war here about
> the topic.  Thanks.
> 
> 
> 

-- 
----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net