From owner-cvs-all@FreeBSD.ORG Wed Sep 13 13:08:31 2006 Return-Path: X-Original-To: cvs-all@FreeBSD.org Delivered-To: cvs-all@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26CDE16A417; Wed, 13 Sep 2006 13:08:31 +0000 (UTC) (envelope-from andre@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id A675F43D55; Wed, 13 Sep 2006 13:08:27 +0000 (GMT) (envelope-from andre@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k8DD8RBs000232; Wed, 13 Sep 2006 13:08:27 GMT (envelope-from andre@repoman.freebsd.org) Received: (from andre@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k8DD8RVM000231; Wed, 13 Sep 2006 13:08:27 GMT (envelope-from andre) Message-Id: <200609131308.k8DD8RVM000231@repoman.freebsd.org> From: Andre Oppermann Date: Wed, 13 Sep 2006 13:08:27 +0000 (UTC) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: src/sys/netinet tcp_input.c tcp_output.c tcp_syncache.c tcp_var.h X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 13:08:31 -0000 andre 2006-09-13 13:08:27 UTC FreeBSD src repository Modified files: sys/netinet tcp_input.c tcp_output.c tcp_syncache.c tcp_var.h Log: Rewrite of TCP syncookies to remove locking requirements and to enhance functionality: - Remove a rwlock aquisition/release per generated syncookie. Locking is now integrated with the bucket row locking of syncache itself and syncookies no longer add any additional lock overhead. - Syncookie secrets are different for and stored per syncache buck row. Secrets expire after 16 seconds and are reseeded on-demand. - The computational overhead for syncookie generation and verification is one MD5 hash computation as before. - Syncache can be turned off and run with syncookies only by setting the sysctl net.inet.tcp.syncookies_only=1. This implementation extends the orginal idea and first implementation of FreeBSD by using not only the initial sequence number field to store information but also the timestamp field if present. This way we can keep track of the entire state we need to know to recreate the session in its original form. Almost all TCP speakers implement RFC1323 timestamps these days. For those that do not we still have to live with the known shortcomings of the ISN only SYN cookies. The use of the timestamp field causes the timestamps to be randomized if syncookies are enabled. The idea of SYN cookies is to encode and include all necessary information about the connection setup state within the SYN-ACK we send back and thus to get along without keeping any local state until the ACK to the SYN-ACK arrives (if ever). Everything we need to know should be available from the information we encoded in the SYN-ACK. A detailed description of the inner working of the syncookies mechanism is included in the comments in tcp_syncache.c. Reviewed by: silby (slightly earlier version) Sponsored by: TCP/IP Optimization Fundraise 2005 Revision Changes Path 1.307 +16 -6 src/sys/netinet/tcp_input.c 1.117 +1 -1 src/sys/netinet/tcp_output.c 1.99 +278 -192 src/sys/netinet/tcp_syncache.c 1.137 +5 -4 src/sys/netinet/tcp_var.h