From owner-svn-doc-head@FreeBSD.ORG Tue Jul 9 12:15:57 2013
Return-Path:
Delivered-To: svn-doc-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by hub.freebsd.org (Postfix) with ESMTP id 27CD2B95;
Tue, 9 Jul 2013 12:15:57 +0000 (UTC)
(envelope-from wblock@wonkity.com)
Received: from wonkity.com (wonkity.com [67.158.26.137])
by mx1.freebsd.org (Postfix) with ESMTP id A96DC1C61;
Tue, 9 Jul 2013 12:15:56 +0000 (UTC)
Received: from wonkity.com (localhost [127.0.0.1])
by wonkity.com (8.14.7/8.14.7) with ESMTP id r69CFuPG043259;
Tue, 9 Jul 2013 06:15:56 -0600 (MDT)
(envelope-from wblock@wonkity.com)
Received: from localhost (wblock@localhost)
by wonkity.com (8.14.7/8.14.7/Submit) with ESMTP id r69CFufM043256;
Tue, 9 Jul 2013 06:15:56 -0600 (MDT)
(envelope-from wblock@wonkity.com)
Date: Tue, 9 Jul 2013 06:15:56 -0600 (MDT)
From: Warren Block
To: Gabor Pali
Subject: Re: svn commit: r42215 - head/en_US.ISO8859-1/htdocs/news/status
In-Reply-To: <201307090848.r698m8Uq018589@svn.freebsd.org>
Message-ID:
References: <201307090848.r698m8Uq018589@svn.freebsd.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
(wonkity.com [127.0.0.1]); Tue, 09 Jul 2013 06:15:56 -0600 (MDT)
Cc: svn-doc-head@freebsd.org, svn-doc-all@freebsd.org,
doc-committers@freebsd.org
X-BeenThere: svn-doc-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the doc tree for head
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-List-Received-Date: Tue, 09 Jul 2013 12:15:57 -0000
On Tue, 9 Jul 2013, Gabor Pali wrote:
> Author: pgj
> Date: Tue Jul 9 08:48:08 2013
> New Revision: 42215
> URL: http://svnweb.freebsd.org/changeset/doc/42215
>
> Log:
> - Add a Q2 report on improved TCP SYN cookies
>
> Submitted by: andre
>
> Modified:
> head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml
>
> Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml
> ==============================================================================
> --- head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml Tue Jul 9 08:33:48 2013 (r42214)
> +++ head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml Tue Jul 9 08:48:08 2013 (r42215)
> @@ -18,7 +18,7 @@
>
>
> Thanks to all the reporters for the excellent work! This report
> - contains 28 entries and we hope you enjoy reading it.
> + contains 29 entries and we hope you enjoy reading it.
>
>
> The deadline for submissions covering between July and September 2013
> @@ -1579,4 +1579,84 @@ functionality through pkg(8).
> and CAP_RECV_RIGHTS.
>
>
> +
> +
> + Improved TCP SYN Cookies
> +
> +
> +
> +
> + Andre
> + Oppermann
> +
> + andre@FreeBSD.org
> +
> +
> +
> +
> + Description
> + Patch
> +
> +
> +
> + We have had a SYN cookie implementation for quite some time now
> + but it has some limitations with current realities for window
> + scaling and SACK encoding the in the few available bits.
> +
> + This patch updates and improves SYN cookies mainly by:
> +
> +
> + - Encoding of MSS, WSCALE (window scaling) and SACK into the
> + ISN (initial sequence number) without the use of timestamp
> + bits.
> +
> + - Switching to the very fast and cryptographically strong
> + SipHash-2-4 hash MAC algorithm to protect the SYN cookie
> + against forgery.
> +
> +
> + The common parameters used on TCP sessions have changed quite a
> + bit since SYN cookies very invented some 17 years ago. Today we
s/very/were/
> + have a lot more bandwidth which makes the use window scaling
s/the use/use of/
> + almost mandatory. Also SACK has become standard as it makes
> + recovering from packet loss much more efficient.
> +
> + The original SYN cookies method only stored an indexed MSS
> + values in the cookie. This obviously is not sufficient anymore
s/values/value/
s/anymore/any more/
> + and breaks in the presence of WSCALE. WSCALE information is
> + only exchanged during SYN and SYN-ACK. If we cannot keep track
> + of it then we severely underestimate the available send or
> + receive window, compounded with the fact that with large window
> + scaling the window size information on the TCP segment header
> + would be even lower numerically.
> +
> + A number of years back SYN cookies have been extended to store
s/back SYN/back, SYN/
s/have been/were/
> + the additional state in the TCP timestamp fields, if available
> + on a connection. It has been adopted by Linux as well. While
> + timestamps are common among the BSD, Linux and other Unix
> + systems, Windows never enabled them by default, thus they are
> + not present for the vast majority of clients seen on the
> + Internet.
> +
> + The new improvement in this patch moves all necessary
> + information into the ISN again removing the need for timestamps.
s/again removing/again, removing/
> + Both the MSS and send WSCALE are stored in 3 bit indexed form
> + together with a single bit for SACK. While we cannot represent
> + all possible MSS and WSCALE values, both are 16 bit fields in
> + the TCP header, in only 3 bits each this, it turns out, is not
> + actually necessary.
That last sentence is very unclear. I *think* it means
"While we cannot represent all possible MSS and WSCALE values in
only 3 bits each (both are 16 bit fields in the TCP header), it
turns out that is not actually necessary.
"
> + These improvements allow one to run with SYN cookies only on
> + Internet-facing servers. However while SYN cookies are
> + calculated and sent all the time, they are only used when the
> + syn cache overflows due to attacks or overload. In that cause
s/cause/case/
> + though, you can rest assured that no significant degradation in
> + TCP connection setup happens anymore and that even Windows
s/anymore/any more/
> + clients can make use of window scaling and SACK.
> +
> +
> +
> + Additional testing on busy servers.
> +
> +
>
>
Phew, almost done. Sorry, and thanks!