From: Glenn Griffin <ggriffin.kernel@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: ggriffin.kernel@gmail.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/3] Support arbitrary initial TCP timestamps
Date: Mon, 18 Feb 2008 14:46:18 -0800 [thread overview]
Message-ID: <20080218164723.GA13941@fin> (raw)
In-Reply-To: <20080217.233330.157255657.davem@davemloft.net>
> Adding yet another member to the already bloated tcp_sock structure to
> implement this is too high a cost.
Yes, I was worried that would be deemed too high of a cost, but it was
the most efficient way I could think to accomplish what I wanted.
> I would instead prefer that there be some global random number
> calculated when the first TCP socket is created, and use that as a
> global offset. You can even recompute it every few hours if you
> like.
That would work fine if my mine purpose was to randomize the tcp
timestamp to mitigate the leak in information regarding uptime, but
despite the brief description, that's only a side effect of what I
intended to do. What I wanted was a way to be able to choose an initial
tcp timestamp for a particular connection that was not tied directly to
jiffies.
The two patches following this show my intended use case. I intend to
enhance syncookie support to allow it to support advanced tcp options
(sack and window scaling). Normally syncookies encode the bare minimum
state of a connection in the ISN they choose, but the 32bit ISN isn't
enough to encode advanced tcp options so you are left with a working but
crippled tcp stack during a synflood attack. If in addition to choosing
an ISN we are able to choose an initial tcp timestamp, we are then able
to encode an additional 32 bits of information that can contain more of
the advanced tcp options.
This stems from a discussion about implementing IPv6 support for
syncookies, and the main concern being that syncookies disabled too many
valuable tcp features to be relevant on modern systems. Many people
stood in opposition to that statement, but it did not seem as though a
general consensus was reached. http://lkml.org/lkml/2008/2/4/396
I'm always open to alternatives.
--Glenn
next prev parent reply other threads:[~2008-02-18 22:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-15 17:47 [PATCH 1/3] Support arbitrary initial TCP timestamps Glenn Griffin
2008-02-15 17:47 ` [PATCH 2/3] Enable the use of TCP options with syncookies Glenn Griffin
2008-02-15 17:47 ` [PATCH 3/3] Add IPv6 Support to TCP SYN cookies Glenn Griffin
2008-02-18 7:33 ` [PATCH 1/3] Support arbitrary initial TCP timestamps David Miller
2008-02-18 22:46 ` Glenn Griffin [this message]
2008-02-19 18:02 ` Glenn Griffin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080218164723.GA13941@fin \
--to=ggriffin.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).