Date: Tue, 22 Jun 2010 06:18:12 -0300 From: Fernando Gont <fernando@gont.com.ar> To: freebsd-net@freebsd.org Cc: Andre Oppermann <andre@freebsd.org> Subject: Extended SYN cookies Message-ID: <4C207FD4.2060300@gont.com.ar>
next in thread | raw e-mail | index | archive | help
Hi, folks, I have a few questions wrt the FreeBSD TCP extended syncookies. I'm quoting the explanation in the code: > * Timestamp we send: > * 31|................................|0 > * DDDDDDDDDDDDDDDDDDDDDDSSSSRRRRA5 > * D = MD5 Digest (third dword) (only as filler) What about the second MD5 dword? -- It doesn't seem to be used anywhere... > * S = Requested send window scale > * R = Requested receive window scale What's this snd_window rcv_window thing? I mean, why do you need to include in the cookie the TCP wscale option *you* adverised? Isn't it expected to be the same in all cases? > * A = SACK allowed > * 5 = TCP-MD5 enabled (not implemented yet) > * XORed with MD5 Digest (forth dword) Any reason for XOR'ing the timestamp with the MD5 Digest? > * The timestamp isn't cryptographically secure and doesn't need to be. What's the motivator of this comment? MD5 itself (used here) being cryptographically weak, or what? > * Some problems with SYN cookies remain however: > * Consider the problem of a recreated (and retransmitted) cookie. If the > * original SYN was accepted, the connection is established. The second > * SYN is inflight, and if it arrives with an ISN that falls within the > * receive window, the connection is killed. What do you mean by "recreated", specifically? Thanks! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C207FD4.2060300>