From owner-svn-doc-all@FreeBSD.ORG Tue Jul 9 08:48:08 2013 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BF7D9486; Tue, 9 Jul 2013 08:48:08 +0000 (UTC) (envelope-from pgj@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id B1BBC1120; Tue, 9 Jul 2013 08:48:08 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r698m8F9018590; Tue, 9 Jul 2013 08:48:08 GMT (envelope-from pgj@svn.freebsd.org) Received: (from pgj@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r698m8Uq018589; Tue, 9 Jul 2013 08:48:08 GMT (envelope-from pgj@svn.freebsd.org) Message-Id: <201307090848.r698m8Uq018589@svn.freebsd.org> From: Gabor Pali Date: Tue, 9 Jul 2013 08:48:08 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r42215 - head/en_US.ISO8859-1/htdocs/news/status X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 08:48:08 -0000 Author: pgj Date: Tue Jul 9 08:48:08 2013 New Revision: 42215 URL: http://svnweb.freebsd.org/changeset/doc/42215 Log: - Add a Q2 report on improved TCP SYN cookies Submitted by: andre Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml ============================================================================== --- head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml Tue Jul 9 08:33:48 2013 (r42214) +++ head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml Tue Jul 9 08:48:08 2013 (r42215) @@ -18,7 +18,7 @@

Thanks to all the reporters for the excellent work! This report - contains 28 entries and we hope you enjoy reading it.

+ contains 29 entries and we hope you enjoy reading it.

The deadline for submissions covering between July and September 2013 @@ -1579,4 +1579,84 @@ functionality through pkg(8).CAP_RECV_RIGHTS. + + + Improved TCP SYN Cookies + + + + + Andre + Oppermann + + andre@FreeBSD.org + + + + + Description + Patch + + + +

We have had a SYN cookie implementation for quite some time now + but it has some limitations with current realities for window + scaling and SACK encoding the in the few available bits.

+ +

This patch updates and improves SYN cookies mainly by:

+ +
    +
  1. Encoding of MSS, WSCALE (window scaling) and SACK into the + ISN (initial sequence number) without the use of timestamp + bits.
    2. + +
  2. Switching to the very fast and cryptographically strong + SipHash-2-4 hash MAC algorithm to protect the SYN cookie + against forgery.
    3. +
+ +

The common parameters used on TCP sessions have changed quite a + bit since SYN cookies very invented some 17 years ago. Today we + have a lot more bandwidth which makes the use window scaling + almost mandatory. Also SACK has become standard as it makes + recovering from packet loss much more efficient.

+ +

The original SYN cookies method only stored an indexed MSS + values in the cookie. This obviously is not sufficient anymore + and breaks in the presence of WSCALE. WSCALE information is + only exchanged during SYN and SYN-ACK. If we cannot keep track + of it then we severely underestimate the available send or + receive window, compounded with the fact that with large window + scaling the window size information on the TCP segment header + would be even lower numerically.

+ +

A number of years back SYN cookies have been extended to store + the additional state in the TCP timestamp fields, if available + on a connection. It has been adopted by Linux as well. While + timestamps are common among the BSD, Linux and other Unix + systems, Windows never enabled them by default, thus they are + not present for the vast majority of clients seen on the + Internet.

+ +

The new improvement in this patch moves all necessary + information into the ISN again removing the need for timestamps. + Both the MSS and send WSCALE are stored in 3 bit indexed form + together with a single bit for SACK. While we cannot represent + all possible MSS and WSCALE values, both are 16 bit fields in + the TCP header, in only 3 bits each this, it turns out, is not + actually necessary.

+ +

These improvements allow one to run with SYN cookies only on + Internet-facing servers. However while SYN cookies are + calculated and sent all the time, they are only used when the + syn cache overflows due to attacks or overload. In that cause + though, you can rest assured that no significant degradation in + TCP connection setup happens anymore and that even Windows + clients can make use of window scaling and SACK.

+ + + + Additional testing on busy servers. + +