From: Florian Westphal <fw@strlen.de>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Florian Westphal <fw@strlen.de>, netdev@vger.kernel.org
Subject: Re: [PATCH -next v2 1/2] syncookies: remove ecn_ok validation when decoding option timestamp
Date: Fri, 31 Oct 2014 14:39:48 +0100 [thread overview]
Message-ID: <20141031133948.GJ10069@breakpoint.cc> (raw)
In-Reply-To: <1414762333.499.16.camel@edumazet-glaptop2.roam.corp.google.com>
Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Fri, 2014-10-31 at 13:13 +0100, Florian Westphal wrote:
> > Won't work anymore when tcp_ecn=0 and RTAX_FEATURES route attribute did
> > allow ecn.
> >
> > Just turn on ecn if the client ts says so.
> >
> > This means that while syn cookies are in use clients can turn on ecn
> > even if it is off on the server.
> >
> > However, there seems to be no harm in permitting this.
> >
> > Alternatively one can extend the test to also perform route lookup and
> > check RTAX_FEATURES, but it simply doesn't appear to be worth the effort.
> >
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > ---
> > Changes since v1:
> > - reword commit message
>
> Sorry.
>
> Google chose to disable ecn on their GFE, so we set sysctl_tcp_ecn to 0
>
> If I understand your patch, if a synflood is going on, some innocent
> connections could get ECN enabled, while we do not want this to ever
> happen. ECN really hurts our customers, this is a known fact.
>
> You cannot change this like that, it would force us (and maybe others)
> to either revert this patch, or add a knob.
Mot needed, if you think its wrong to remove the check, I will respin
with a proper validation.
> If sysctl_tcp_ecn = 0, there is no way a connection should have ECN
> enabled. This was documented years ago.
It would only get enabled if the echoed timestamp (ie the timestamp we
sent in the synack) indicates that ecn was enabled, i.e. the client or
a middlebox would have to munge/modify it to set the 'ecn on' bit in the
timestamp.
If that is too fragile in your opinion I will respin the patch to include
the additional validation via dst. We already need to fetch the dst
object anyway to fetch certain route attributes not in the timestamp or
cookie, so its only a matter of reorganizing code first to avoid two lookups.
Let me know what you prefer.
Thanks,
Florian
next prev parent reply other threads:[~2014-10-31 13:39 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-31 12:13 [PATCH -next v2 0/2] net: allow setting ecn via routing table Florian Westphal
2014-10-31 12:13 ` [PATCH -next v2 1/2] syncookies: remove ecn_ok validation when decoding option timestamp Florian Westphal
2014-10-31 13:32 ` Eric Dumazet
2014-10-31 13:39 ` Florian Westphal [this message]
2014-10-31 14:04 ` Eric Dumazet
2014-10-31 14:15 ` Florian Westphal
2014-10-31 15:47 ` Eric Dumazet
2014-10-31 16:00 ` Florian Westphal
2014-10-31 12:13 ` [PATCH -next v2 2/2] net: allow setting ecn via routing table Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141031133948.GJ10069@breakpoint.cc \
--to=fw@strlen.de \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).