Re: [PATCH] tcp: Use absolute system clock for TCP timestamps

Re: [PATCH] tcp: Use absolute system clock for TCP timestamps

[Eric Dumazet]

On Thu, Sep 24, 2015 at 7:14 AM, Jovi Zhangwei <jovi@cloudflare.com> wrote:
> From f455dc3958593250909627474100f6cc5c158a5c Mon Sep 17 00:00:00 2001
> From: Marek Majkowski <marek@cloudflare.com>
> Date: Fri, 11 Sep 2015 06:05:07 -0700
> Subject: [PATCH] tcp: Use absolute system clock for TCP timestamps
>
> Using TCP timestamps is beneficial due for to its purpose in PAWS and when
> its role when SYN cookies are enabled. In practice though TCP timestamps are
> often disabled due to being a perceived security issue - they leak Linux
> system uptime.
>
> This patch introduces a kernel option that makes TCP timestamp always return
> an absolute value derived from a system clock as opposed to jiffies from
> boot.
>
> This patch is based on the approach taken by grsecurity:
>     https://grsecurity.net/~spender/random_timestamp.diff
>

Please do not send html messages, they wont reach lists.

May I ask how this patch was really tested ?

It cannot possibly work on current kernels, as TCP Timestamps are
generated from clock samples taken from skb_mstamp_get(),
and you did not change it.

static inline void skb_mstamp_get(struct skb_mstamp *cl)
{
        u64 val = local_clock();

        do_div(val, NSEC_PER_USEC);
        cl->stamp_us = (u32)val;
        cl->stamp_jiffies = (u32)jiffies;
}

TCP stack uses tcp_time_stamp internally, we do not want to add
overhead adding an offset on all places.

tp->lsndtime is an example, but we have others.

Therefore, I suggest you add a new function and use it only where needed.

static inline u32 secure_tcp_time_stamp(void)
{
   returns (u32)(tcp_time_stamp + rtc_timestamp_base);
}

Re: [PATCH] tcp: Use absolute system clock for TCP timestamps

[Florian Westphal]

Eric Dumazet <edumazet@google.com> wrote:
> On Thu, Sep 24, 2015 at 7:14 AM, Jovi Zhangwei <jovi@cloudflare.com> wrote:
> > From f455dc3958593250909627474100f6cc5c158a5c Mon Sep 17 00:00:00 2001
> > From: Marek Majkowski <marek@cloudflare.com>
> > Date: Fri, 11 Sep 2015 06:05:07 -0700
> > Subject: [PATCH] tcp: Use absolute system clock for TCP timestamps
> >
> > Using TCP timestamps is beneficial due for to its purpose in PAWS and when
> > its role when SYN cookies are enabled. In practice though TCP timestamps are
> > often disabled due to being a perceived security issue - they leak Linux
> > system uptime.
> >
> > This patch introduces a kernel option that makes TCP timestamp always return
> > an absolute value derived from a system clock as opposed to jiffies from
> > boot.
> >
> > This patch is based on the approach taken by grsecurity:
> >     https://grsecurity.net/~spender/random_timestamp.diff
> >

I did not see the proposed patch because it didn't make this list,
but I do not like the patch linked to above.

With HZ=1000 the clock wraps every 49 days anyway.
If thats is still deemed a problem, then the proposed solution doesn't
help since all this does is add some 'random uptime' when the machine
is booted so remote monitoring will easily give a good approximation of
real uptime.

Really, where is the problem...?

> TCP stack uses tcp_time_stamp internally, we do not want to add
> overhead adding an offset on all places.
> 
> tp->lsndtime is an example, but we have others.
> 
> Therefore, I suggest you add a new function and use it only where needed.

Agreed, the mangling should only be performed when writing ts stamp
into tcp header, and undone when reading ts echo from network.