From owner-cvs-all  Thu Dec 20 20:18:54 2001
Delivered-To: cvs-all@freebsd.org
Received: from niwun.pair.com (niwun.pair.com [209.68.2.70])
	by hub.freebsd.org (Postfix) with SMTP id B23EA37B41A
	for <cvs-all@FreeBSD.org>; Thu, 20 Dec 2001 20:18:49 -0800 (PST)
Received: (qmail 50123 invoked by uid 3193); 21 Dec 2001 04:18:49 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 21 Dec 2001 04:18:49 -0000
Date: Thu, 20 Dec 2001 23:18:49 -0500 (EST)
From: Mike Silbersack <silby@silby.com>
X-Sender:  <silby@niwun.pair.com>
To: Jonathan Lemon <jlemon@flugsvamp.com>
Cc: <cvs-committers@FreeBSD.org>, <cvs-all@FreeBSD.org>
Subject: Re: cvs commit: src/sys/netinet tcp_syncache.c
In-Reply-To: <20011220152243.H26326@prism.flugsvamp.com>
Message-ID: <Pine.BSF.4.30.0112202118500.80717-100000@niwun.pair.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On Thu, 20 Dec 2001, Jonathan Lemon wrote:

> On Thu, Dec 20, 2001 at 03:52:10PM -0500, Mike Silbersack wrote:
> > MD5 is only used for outgoing syn-acks if strict rfc1948 mode is enabled
> > (which it is not by default); normally, arc4random is used.
>
> I think you missed the part that said "initial outgoing SYNs".
> E.g.: where we are the ones initially establishing the connection.

Urk, I did.  Sorry.

> > I'm rusty on the syncache implementation, so bear with this if it's wrong:
> > If you're involved in being synflooded, the cache is going to be mostly
> > full.  On the other hand, if you're not being flooded, the cache will
> > generally be mostly empty.  Also, a flood is probably going to go on for a
> > while.  Hence, if the table's above a certain percent full, you could
> > assume that you're should make cookies, because they'll be needed.
> > Otherwise, just use arc4random(), and accept that a few connections will
> > get dropped right when a flood starts, but that you'll be ok after that.
>
> Not quite; there is both a table and a bucket limit.  Entries can be
> overflowed from either one of these.  It would be possible to add various
> watermarks and change behavior when the watermarks are hit.
> --
> Jonathan

True, I guess it would be hard to get right (and finish before the already
existing code freeze.)

So, I guess minimally could you make the sysctl trigger the use arc4random
when syncookies are going to disregarded anyway?  I think that would be a
reasonable feature.

Mike "Silby" Silbersack


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message