From owner-svn-doc-head@FreeBSD.ORG Tue Jul 9 12:15:57 2013 Return-Path: Delivered-To: svn-doc-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 27CD2B95; Tue, 9 Jul 2013 12:15:57 +0000 (UTC) (envelope-from wblock@wonkity.com) Received: from wonkity.com (wonkity.com [67.158.26.137]) by mx1.freebsd.org (Postfix) with ESMTP id A96DC1C61; Tue, 9 Jul 2013 12:15:56 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.7/8.14.7) with ESMTP id r69CFuPG043259; Tue, 9 Jul 2013 06:15:56 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.7/8.14.7/Submit) with ESMTP id r69CFufM043256; Tue, 9 Jul 2013 06:15:56 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Tue, 9 Jul 2013 06:15:56 -0600 (MDT) From: Warren Block To: Gabor Pali Subject: Re: svn commit: r42215 - head/en_US.ISO8859-1/htdocs/news/status In-Reply-To: <201307090848.r698m8Uq018589@svn.freebsd.org> Message-ID: References: <201307090848.r698m8Uq018589@svn.freebsd.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Tue, 09 Jul 2013 06:15:56 -0600 (MDT) Cc: svn-doc-head@freebsd.org, svn-doc-all@freebsd.org, doc-committers@freebsd.org X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 12:15:57 -0000 On Tue, 9 Jul 2013, Gabor Pali wrote: > Author: pgj > Date: Tue Jul 9 08:48:08 2013 > New Revision: 42215 > URL: http://svnweb.freebsd.org/changeset/doc/42215 > > Log: > - Add a Q2 report on improved TCP SYN cookies > > Submitted by: andre > > Modified: > head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml > > Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml > ============================================================================== > --- head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml Tue Jul 9 08:33:48 2013 (r42214) > +++ head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml Tue Jul 9 08:48:08 2013 (r42215) > @@ -18,7 +18,7 @@ > > >

Thanks to all the reporters for the excellent work! This report > - contains 28 entries and we hope you enjoy reading it.

> + contains 29 entries and we hope you enjoy reading it.

> > >

The deadline for submissions covering between July and September 2013 > @@ -1579,4 +1579,84 @@ functionality through pkg(8). and CAP_RECV_RIGHTS. > > > + > + > + Improved TCP SYN Cookies > + > + > + > + > + Andre > + Oppermann > + > + andre@FreeBSD.org > + > + > + > + > + Description > + Patch > + > + > + > +

We have had a SYN cookie implementation for quite some time now > + but it has some limitations with current realities for window > + scaling and SACK encoding the in the few available bits.

> + > +

This patch updates and improves SYN cookies mainly by:

> + > +
    > +
  1. Encoding of MSS, WSCALE (window scaling) and SACK into the > + ISN (initial sequence number) without the use of timestamp > + bits.
    2. > + > +
  2. Switching to the very fast and cryptographically strong > + SipHash-2-4 hash MAC algorithm to protect the SYN cookie > + against forgery.
    3. > +
> + > +

The common parameters used on TCP sessions have changed quite a > + bit since SYN cookies very invented some 17 years ago. Today we s/very/were/ > + have a lot more bandwidth which makes the use window scaling s/the use/use of/ > + almost mandatory. Also SACK has become standard as it makes > + recovering from packet loss much more efficient.

> + > +

The original SYN cookies method only stored an indexed MSS > + values in the cookie. This obviously is not sufficient anymore s/values/value/ s/anymore/any more/ > + and breaks in the presence of WSCALE. WSCALE information is > + only exchanged during SYN and SYN-ACK. If we cannot keep track > + of it then we severely underestimate the available send or > + receive window, compounded with the fact that with large window > + scaling the window size information on the TCP segment header > + would be even lower numerically.

> + > +

A number of years back SYN cookies have been extended to store s/back SYN/back, SYN/ s/have been/were/ > + the additional state in the TCP timestamp fields, if available > + on a connection. It has been adopted by Linux as well. While > + timestamps are common among the BSD, Linux and other Unix > + systems, Windows never enabled them by default, thus they are > + not present for the vast majority of clients seen on the > + Internet.

> + > +

The new improvement in this patch moves all necessary > + information into the ISN again removing the need for timestamps. s/again removing/again, removing/ > + Both the MSS and send WSCALE are stored in 3 bit indexed form > + together with a single bit for SACK. While we cannot represent > + all possible MSS and WSCALE values, both are 16 bit fields in > + the TCP header, in only 3 bits each this, it turns out, is not > + actually necessary.

That last sentence is very unclear. I *think* it means "While we cannot represent all possible MSS and WSCALE values in only 3 bits each (both are 16 bit fields in the TCP header), it turns out that is not actually necessary.

" > +

These improvements allow one to run with SYN cookies only on > + Internet-facing servers. However while SYN cookies are > + calculated and sent all the time, they are only used when the > + syn cache overflows due to attacks or overload. In that cause s/cause/case/ > + though, you can rest assured that no significant degradation in > + TCP connection setup happens anymore and that even Windows s/anymore/any more/ > + clients can make use of window scaling and SACK.

> + > + > + > + Additional testing on busy servers. > + > + > > Phew, almost done. Sorry, and thanks!