From owner-freebsd-stable Sun Jul 8 8:13:38 2001 Delivered-To: freebsd-stable@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 2609637B420 for ; Sun, 8 Jul 2001 08:13:28 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA11425; Sun, 8 Jul 2001 08:13:21 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda11421; Sun Jul 8 08:13:05 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f68FCoP03220; Sun, 8 Jul 2001 08:12:50 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdmq3218; Sun Jul 8 08:12:10 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f68FC9O03810; Sun, 8 Jul 2001 08:12:09 -0700 (PDT) Message-Id: <200107081512.f68FC9O03810@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdwu3803; Sun Jul 8 08:11:46 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Thomas David Rivers Cc: freebsd-stable@FreeBSD.ORG, silby@silby.com Subject: Re: Headsup: Tcp ISN generation changes from 4.2 to 4.3 In-reply-to: Your message of "Sun, 08 Jul 2001 07:26:15 EDT." <200107081126.f68BQFV29529@lakes.dignus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 08 Jul 2001 08:11:46 -0700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In message <200107081126.f68BQFV29529@lakes.dignus.com>, Thomas David Rivers wr ites: > > Consequently, I have just committed patches to -current and -stable which > > allow you to select the tcp initial sequence number generation scheme used > > by your system. If you don't wish to cvsup just for this patch, you may > > instead obtain it from http://www.silby.com/patches/multiple_isn_schemes.pa > tch > > and manually apply the patch yourself. > > I've been having problems connecting to some older mainframe machines > after the upgrade to 4.3-RELEASE, and was hoping this might be the > culprit. (Actually, the problems are that the older mainframe TCP/IP > seems to go south now with any outbound FTP transfer (FreeBSD->mainframe) > where they didn't before.) > > However, your patches do not apply cleanly to a 4.3-RELEASE > system... are these meant for 4.3-STABLE only? Use this on 4.3-RELEASE only: diff -u -r src/sys/netinet.old/tcp_input.c src/sys/netinet/tcp_input.c --- src/sys/netinet.old/tcp_input.c Sun Jul 1 20:44:50 2001 +++ src/sys/netinet/tcp_input.c Sun Jul 1 21:17:58 2001 @@ -1080,12 +1080,12 @@ if (iss) tp->iss = iss; else { #ifdef TCP_COMPAT_42 tcp_iss += TCP_ISSINCR/2; tp->iss = tcp_iss; #else - tp->iss = tcp_rndiss_next(); + tp->iss = tcp_new_isn(); #endif /* TCP_COMPAT_42 */ } tp->irs = th->th_seq; tcp_sendseqinit(tp); @@ -1612,11 +1612,11 @@ if (thflags & TH_SYN && tp->t_state == TCPS_TIME_WAIT && SEQ_GT(th->th_seq, tp->rcv_nxt)) { #ifdef TCP_COMPAT_42 iss = tp->snd_nxt + TCP_ISSINCR; #else - iss = tcp_rndiss_next(); + iss = tcp_new_isn(); #endif /* TCP_COMPAT_42 */ tp = tcp_close(tp); goto findpcb; } diff -u -r src/sys/netinet.old/tcp_seq.h src/sys/netinet/tcp_seq.h --- src/sys/netinet.old/tcp_seq.h Sun Jul 1 20:44:50 2001 +++ src/sys/netinet/tcp_seq.h Sun Jul 1 21:08:02 2001 @@ -81,23 +81,24 @@ #ifdef _KERNEL extern tcp_cc tcp_ccgen; /* global connection count */ -#ifdef TCP_COMPAT_42 /* * Increment for tcp_iss each second. * This is designed to increment at the standard 250 KB/s, * but with a random component averaging 128 KB. * We also increment tcp_iss by a quarter of this amount * each time we use the value for a new connection. * If defined, the tcp_random18() macro should produce a * number in the range [0-0x3ffff] that is hard to predict. + * + * The variable tcp_iss and tcp_random18() are only used + * by sequence number generation scheme 0. */ #ifndef tcp_random18 #define tcp_random18() (arc4random() & 0x3ffff) #endif #define TCP_ISSINCR (122*1024 + tcp_random18()) extern tcp_seq tcp_iss; /* tcp initial send seq # */ -#endif /* TCP_COMPAT_42 */ #else #define TCP_ISSINCR (250*1024) /* increment for tcp_iss each second */ #endif /* _KERNEL */ diff -u -r src/sys/netinet.old/tcp_subr.c src/sys/netinet/tcp_subr.c --- src/sys/netinet.old/tcp_subr.c Sun Jul 1 20:44:50 2001 +++ src/sys/netinet/tcp_subr.c Sun Jul 1 21:35:14 2001 @@ -139,6 +139,10 @@ SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0, "Certain ICMP unreachable messages may abort connections in SYN_SENT"); +static int tcp_seq_genscheme = 1; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, tcp_seq_genscheme, CTLFLAG_RW, + &tcp_seq_genscheme, 0, "TCP ISN generation scheme"); + static void tcp_cleartaocache __P((void)); static void tcp_notify __P((struct inpcb *, int)); @@ -182,9 +186,11 @@ { int hashsize; #ifdef TCP_COMPAT_42 tcp_iss = 1; /* wrong */ +#else + tcp_iss = arc4random(); /* wrong, but better than a constant */ #endif /* TCP_COMPAT_42 */ tcp_ccgen = 1; tcp_cleartaocache(); @@ -1093,6 +1099,26 @@ 0, cmd, notify); } #endif /* INET6 */ + +tcp_seq +tcp_new_isn() +{ + if ((tcp_seq_genscheme > 1) || (tcp_seq_genscheme < 0)) + tcp_seq_genscheme = 1; + + switch (tcp_seq_genscheme) { + case 0: /* + * Random positive increments + */ + tcp_iss += TCP_ISSINCR/2; + return tcp_iss; + case 1: /* + * OpemBSD randomized scheme + */ + return tcp_rndiss_next(); + } + +} #define TCP_RNDISS_ROUNDS 16 #define TCP_RNDISS_OUT 7200 diff -u -r src/sys/netinet.old/tcp_timer.c src/sys/netinet/tcp_timer.c --- src/sys/netinet.old/tcp_timer.c Sun Jul 1 20:44:50 2001 +++ src/sys/netinet/tcp_timer.c Sun Jul 1 21:12:16 2001 @@ -132,11 +132,11 @@ tcp_maxidle = tcp_keepcnt * tcp_keepintvl; -#ifdef TCP_COMPAT_42 tcp_iss += TCP_ISSINCR/PR_SLOWHZ; /* increment iss */ +#ifdef TCP_COMPAT_42 if ((int)tcp_iss < 0) tcp_iss = TCP_ISSINCR; /* XXX */ #endif splx(s); } diff -u -r src/sys/netinet.old/tcp_usrreq.c src/sys/netinet/tcp_usrreq.c --- src/sys/netinet.old/tcp_usrreq.c Sun Jul 1 20:44:50 2001 +++ src/sys/netinet/tcp_usrreq.c Sun Jul 1 21:18:20 2001 @@ -759,12 +759,12 @@ tcpstat.tcps_connattempt++; tp->t_state = TCPS_SYN_SENT; callout_reset(tp->tt_keep, tcp_keepinit, tcp_timer_keep, tp); #ifdef TCP_COMPAT_42 tp->iss = tcp_iss; tcp_iss += TCP_ISSINCR/2; #else /* TCP_COMPAT_42 */ - tp->iss = tcp_rndiss_next(); + tp->iss = tcp_new_isn(); #endif /* !TCP_COMPAT_42 */ tcp_sendseqinit(tp); /* @@ -856,11 +856,11 @@ tcpstat.tcps_connattempt++; tp->t_state = TCPS_SYN_SENT; callout_reset(tp->tt_keep, tcp_keepinit, tcp_timer_keep, tp); #ifdef TCP_COMPAT_42 tp->iss = tcp_iss; tcp_iss += TCP_ISSINCR/2; #else - tp->iss = tcp_rndiss_next(); + tp->iss = tcp_new_isn(); #endif /* TCP_COMPAT_42 */ tcp_sendseqinit(tp); /* diff -u -r src/sys/netinet.old/tcp_var.h src/sys/netinet/tcp_var.h --- src/sys/netinet.old/tcp_var.h Sun Jul 1 20:44:50 2001 +++ src/sys/netinet/tcp_var.h Sun Jul 1 21:13:25 2001 @@ -413,6 +413,7 @@ tcp_seq tcp_rndiss_next __P((void)); u_int16_t tcp_rndiss_encrypt __P((u_int16_t)); +tcp_seq tcp_new_isn __P((void)); #endif /* _KERNEL */ Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message