From owner-freebsd-ipfw@freebsd.org Thu Feb 25 17:58:24 2021 Return-Path: Delivered-To: freebsd-ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7A1C356AFED for ; Thu, 25 Feb 2021 17:58:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4DmgWN210Xz56CG for ; Thu, 25 Feb 2021 17:58:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 4447756B20F; Thu, 25 Feb 2021 17:58:24 +0000 (UTC) Delivered-To: ipfw@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4412356B187 for ; Thu, 25 Feb 2021 17:58:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DmgWN08rVz56CD for ; Thu, 25 Feb 2021 17:58:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id ED2571BCFF for ; Thu, 25 Feb 2021 17:58:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 11PHwN2L026321 for ; Thu, 25 Feb 2021 17:58:23 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 11PHwNPE026320 for ipfw@FreeBSD.org; Thu, 25 Feb 2021 17:58:23 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 253476] ipfw keepalive: tcp_do_segment: Timestamp missing, segment silently dropped Date: Thu, 25 Feb 2021 17:58:22 +0000 X-Bugzilla-Reason: CC AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: rscheff@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2021 17:58:24 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D253476 --- Comment #12 from Richard Scheffenegger --- We discussed this behavior in the #transport call today. The stack behaves according to RFC73232 with the default options. The consensus of the groups was that the TCP stack default should not be changed. The current behavior of ipfw with the injected keepalive would bre= ak with other (non-fbsd) stacks which adhere to RFC7323 just the same. Two other remediation options were discussed:=20 a) retain more state in ipfw when a timestamp option is present, and use the most recent TSval / ecr combination observed when injecting the keepalive b) intercept the 3WHS and remove the timestamp option there. Option a) was preferred heavily - option b) fails when the firewall only ge= ts to see an ongoing session (e.g. rerouting events) but not the syn, and redu= ces the information available to the TCP endpoints to run a number of mechanisms designed to improve performance and enhance data integrity at high speeds. option a) could still fail, for example if ipfw does not see the most recent segment in the direction, where the keepalive is to be injected - as per RFC7323, old timestamp values render the segment not acceptable. But in the vast majority of instances, that approach will make ipfw compliant with RFC7323. --=20 You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.=