Date: Wed, 10 Jul 2013 15:18:22 +0200 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: Andre Oppermann <andre@freebsd.org> Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org Subject: Re: Improved SYN Cookies: Looking for testers Message-ID: <20130710151821.5a8cf38a@fabiankeil.de> In-Reply-To: <51DA68B8.6070201@freebsd.org> References: <51DA68B8.6070201@freebsd.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Andre Oppermann <andre@freebsd.org> wrote: > We have a SYN cookie implementation for quite some time now but it > has some limitations with current realities for window scaling and > SACK encoding the in the few available bits. > > This patch updates and improves SYN cookies mainly by: > > a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN > (initial sequence number) without the use of timestamp bits. > > b) switching to the very fast and cryptographically strong SipHash-2-4 > hash MAC algorithm to protect the SYN cookie against forgery. > > The patch had been reviewed by dwmalone (cookies) and cperciva (siphash). > > Please find it here for testing: > > http://people.freebsd.org/~andre/syncookie-20130708.diff I've been using the patch for a couple of days and didn't notice any issues so far. Privoxy's regression tests continue to work as expected as well. BTW, I think kern/173309 could be closed. Fabian [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlHdXx4ACgkQBYqIVf93VJ2/hwCgtKxRfpacubgmb4uvcQWAhKCW 8HAAnj6vE4HccN9hmWSFsBOE7+VMtXPB =gv2W -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130710151821.5a8cf38a>