From owner-svn-doc-all@FreeBSD.ORG  Tue Jul  9 12:15:57 2013
Return-Path: <owner-svn-doc-all@FreeBSD.ORG>
Delivered-To: svn-doc-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 27CD2B95;
 Tue,  9 Jul 2013 12:15:57 +0000 (UTC)
 (envelope-from wblock@wonkity.com)
Received: from wonkity.com (wonkity.com [67.158.26.137])
 by mx1.freebsd.org (Postfix) with ESMTP id A96DC1C61;
 Tue,  9 Jul 2013 12:15:56 +0000 (UTC)
Received: from wonkity.com (localhost [127.0.0.1])
 by wonkity.com (8.14.7/8.14.7) with ESMTP id r69CFuPG043259;
 Tue, 9 Jul 2013 06:15:56 -0600 (MDT)
 (envelope-from wblock@wonkity.com)
Received: from localhost (wblock@localhost)
 by wonkity.com (8.14.7/8.14.7/Submit) with ESMTP id r69CFufM043256;
 Tue, 9 Jul 2013 06:15:56 -0600 (MDT)
 (envelope-from wblock@wonkity.com)
Date: Tue, 9 Jul 2013 06:15:56 -0600 (MDT)
From: Warren Block <wblock@wonkity.com>
To: Gabor Pali <pgj@FreeBSD.org>
Subject: Re: svn commit: r42215 - head/en_US.ISO8859-1/htdocs/news/status
In-Reply-To: <201307090848.r698m8Uq018589@svn.freebsd.org>
Message-ID: <alpine.BSF.2.00.1307090606520.42925@wonkity.com>
References: <201307090848.r698m8Uq018589@svn.freebsd.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (wonkity.com [127.0.0.1]); Tue, 09 Jul 2013 06:15:56 -0600 (MDT)
Cc: svn-doc-head@freebsd.org, svn-doc-all@freebsd.org,
 doc-committers@freebsd.org
X-BeenThere: svn-doc-all@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "SVN commit messages for the entire doc trees \(except for &quot;
 user&quot; , &quot; projects&quot; , and &quot; translations&quot;
 \)" <svn-doc-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-doc-all>,
 <mailto:svn-doc-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-doc-all>
List-Post: <mailto:svn-doc-all@freebsd.org>
List-Help: <mailto:svn-doc-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-doc-all>,
 <mailto:svn-doc-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2013 12:15:57 -0000

On Tue, 9 Jul 2013, Gabor Pali wrote:

> Author: pgj
> Date: Tue Jul  9 08:48:08 2013
> New Revision: 42215
> URL: http://svnweb.freebsd.org/changeset/doc/42215
>
> Log:
>  - Add a Q2 report on improved TCP SYN cookies
>
>  Submitted by:	andre
>
> Modified:
>  head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml
>
> Modified: head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml
> ==============================================================================
> --- head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml	Tue Jul  9 08:33:48 2013	(r42214)
> +++ head/en_US.ISO8859-1/htdocs/news/status/report-2013-04-2013-06.xml	Tue Jul  9 08:48:08 2013	(r42215)
> @@ -18,7 +18,7 @@
>
>     <!-- XXX: keep updating the number of entries -->
>     <p>Thanks to all the reporters for the excellent work!  This report
> -      contains 28 entries and we hope you enjoy reading it.</p>
> +      contains 29 entries and we hope you enjoy reading it.</p>
>
>     <!-- XXX: set date for the next set of submissions -->
>     <p>The deadline for submissions covering between July and September 2013
> @@ -1579,4 +1579,84 @@ functionality through <tt>pkg(8)</tt>.</
> 	and <tt>CAP_RECV_RIGHTS</tt>.</task>
>     </help>
>   </project>
> +
> +  <project cat='kern'>
> +    <title>Improved TCP SYN Cookies</title>
> +
> +    <contact>
> +      <person>
> +	<name>
> +	  <given>Andre</given>
> +	  <common>Oppermann</common>
> +	</name>
> +	<email>andre@FreeBSD.org</email>
> +      </person>
> +    </contact>
> +
> +    <links>
> +      <url href="http://docs.freebsd.org/cgi/getmsg.cgi?fetch=28838+0+current/freebsd-net">Description</url>
> +      <url href="http://people.freebsd.org/~andre/syncookie-20130708.diff">Patch</url>
> +    </links>
> +
> +    <body>
> +      <p>We have had a SYN cookie implementation for quite some time now
> +	but it has some limitations with current realities for window
> +	scaling and SACK encoding the in the few available bits.</p>
> +
> +      <p>This patch updates and improves SYN cookies mainly by:</p>
> +
> +      <ol>
> +	<li>Encoding of MSS, WSCALE (window scaling) and SACK into the
> +	  ISN (initial sequence number) without the use of timestamp
> +	  bits.</li>
> +
> +	<li>Switching to the very fast and cryptographically strong
> +	  SipHash-2-4 hash MAC algorithm to protect the SYN cookie
> +	  against forgery.</li>
> +      </ol>
> +
> +      <p>The common parameters used on TCP sessions have changed quite a
> +	bit since SYN cookies very invented some 17 years ago.  Today we

s/very/were/

> +	have a lot more bandwidth which makes the use window scaling

s/the use/use of/

> +	almost mandatory.  Also SACK has become standard as it makes
> +	recovering from packet loss much more efficient.</p>
> +
> +      <p>The original SYN cookies method only stored an indexed MSS
> +	values in the cookie.  This obviously is not sufficient anymore

s/values/value/
s/anymore/any more/

> +	and breaks in the presence of WSCALE.  WSCALE information is
> +	only exchanged during SYN and SYN-ACK.  If we cannot keep track
> +	of it then we severely underestimate the available send or
> +	receive window, compounded with the fact that with large window
> +	scaling the window size information on the TCP segment header
> +	would be even lower numerically.</p>
> +
> +      <p>A number of years back SYN cookies have been extended to store

s/back SYN/back, SYN/
s/have been/were/

> +	the additional state in the TCP timestamp fields, if available
> +	on a connection.  It has been adopted by Linux as well.  While
> +	timestamps are common among the BSD, Linux and other Unix
> +	systems, Windows never enabled them by default, thus they are
> +	not present for the vast majority of clients seen on the
> +	Internet.</p>
> +
> +      <p>The new improvement in this patch moves all necessary
> +	information into the ISN again removing the need for timestamps.

s/again removing/again, removing/

> +	Both the MSS and send WSCALE are stored in 3 bit indexed form
> +	together with a single bit for SACK.  While we cannot represent
> +	all possible MSS and WSCALE values, both are 16 bit fields in
> +	the TCP header, in only 3 bits each this, it turns out, is not
> +	actually necessary.</p>

That last sentence is very unclear.  I *think* it means

   "While we cannot represent all possible MSS and WSCALE values in
    only 3 bits each (both are 16 bit fields in the TCP header), it
    turns out that is not actually necessary.</p>"

> +      <p>These improvements allow one to run with SYN cookies only on
> +	Internet-facing servers.  However while SYN cookies are
> +	calculated and sent all the time, they are only used when the
> +	syn cache overflows due to attacks or overload.  In that cause

s/cause/case/

> +	though, you can rest assured that no significant degradation in
> +	TCP connection setup happens anymore and that even Windows

s/anymore/any more/

> +	clients can make use of window scaling and SACK.</p>
> +    </body>
> +
> +    <help>
> +      <task>Additional testing on busy servers.</task>
> +    </help>
> +  </project>
> </report>
>

Phew, almost done.  Sorry, and thanks!