From owner-freebsd-net@FreeBSD.ORG Wed Mar 12 14:50:08 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1BDCD1065676 for ; Wed, 12 Mar 2008 14:50:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id D1B348FC19 for ; Wed, 12 Mar 2008 14:50:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id ACDD141C756; Wed, 12 Mar 2008 15:50:05 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id ZpHEWXTtui7M; Wed, 12 Mar 2008 15:50:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 4620041C752; Wed, 12 Mar 2008 15:50:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 29CDE44487F; Wed, 12 Mar 2008 14:49:47 +0000 (UTC) Date: Wed, 12 Mar 2008 14:49:46 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: "d.s. al coda" In-Reply-To: Message-ID: <20080312144207.P50685@maildrop.int.zabbadoz.net> References: X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: TCP options order changed in FreeBSD 7, incompatible with some routers X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Mar 2008 14:50:08 -0000 On Tue, 11 Mar 2008, d.s. al coda wrote: > - FreeBSD 7 has (there is of course an aligning nop > after the eol, which tcpdump skips) Which is a bug (the nop after the EOL) that I recently fixed in HEAD. I am still curious to know if it's only ordering or the invalid padding or both that keeps clients from connecting. The problem is getting hands on such a problematic "client". I still cannot see why someone would drop because of option ordering but I could see why someone would drop because of the wrong padding which is violating the TCP RFC. Of course other exmaples seem to have shown that it was option ordering that made peers freak out and drop the packet. > - These options don't appear in this exact configuration when using RFC1323 > options. > > I get a hunch that the users with the problem have a router that erroneously > thinks that these options are invalid, or thinks that the some part of byte > sequence (e.g. 0204 05b4 0101 0402) is an attack. > > Just to try it out, I patched tcp_output.c so that the SACK permitted option > was aligned on a 4-byte boundary, preventing the "sackOK, eol" pattern from > ever occuring. Looking through previous versions, I found where the tcp > option code had changed, and there used to be a comment about putting SACK > permitted last, but I can't tell if it's relevant. > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_output.c.diff?r1=1.125;r2=1.126 > > The one-line patch to tcp_output.c is attached. > > Sure enough, it fixed the problem. Afterwards, we collected some information That of course seems to have dropped the need for padding after a possible EOL (if there is no EOL anymore) hiding the second problem. I wonder if you would have the resources to try this patch (on an unpatched kernel) http://docs.freebsd.org/cgi/mid.cgi?200803091326.m29DQoCI095152 and find out if one of the formerly not working users can connect again. As said before this might not be the case and it might be option alignment/ordering but that would rule out the padding problem for us. /bz -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time.