From owner-freebsd-net@FreeBSD.ORG Tue Jun 22 09:18:18 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5F05106566C; Tue, 22 Jun 2010 09:18:18 +0000 (UTC) (envelope-from fernando.gont.netbook.win@gmail.com) Received: from mail-gw0-f68.google.com (mail-gw0-f68.google.com [74.125.83.68]) by mx1.freebsd.org (Postfix) with ESMTP id 79EB88FC1D; Tue, 22 Jun 2010 09:18:18 +0000 (UTC) Received: by gwj16 with SMTP id 16so1290908gwj.7 for ; Tue, 22 Jun 2010 02:18:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:x-enigmail-version:openpgp :content-type:content-transfer-encoding; bh=azxVqYAwS05Zl3MpODQ0JbCqU1b3fNxVq2uOIUnct8E=; b=l5iTjgJZThJUS8cPP8nmOyl12yU+3/EO7KJLFy6UDbuvONljptu3EZS5RcJ0QqsjLJ WSAsgaFHq1fBAtCTwYUbXYnXoQfOwwZf2Lvao5r62nzytophTOdJIgxx8BEMVnrKy8Jq +4zRM6iLc69wk+j+cks7JNiaCnGE6ChG60tgA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=Op4IAblxqPKDVPv9MZD9+Obu1vGzWErf1d31eJwQsmvHbIRULWiSXPRQC30Z4ye8hU zsnyNFhUI9mqZr/1/zdGKcbRviMzDS572/WnAOWwiEHcxMWJBn8RTC52PgF9fc3GFwM+ vh1t1ZLVpjlsE2REq8W5ySJ/sQR46XLCcuuKY= Received: by 10.150.150.3 with SMTP id x3mr5739124ybd.435.1277198297599; Tue, 22 Jun 2010 02:18:17 -0700 (PDT) Received: from [192.168.0.135] ([186.137.80.175]) by mx.google.com with ESMTPS id v21sm5859867ybk.25.2010.06.22.02.18.15 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 22 Jun 2010 02:18:16 -0700 (PDT) Sender: Fernando Gont Message-ID: <4C207FD4.2060300@gont.com.ar> Date: Tue, 22 Jun 2010 06:18:12 -0300 From: Fernando Gont User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: freebsd-net@freebsd.org X-Enigmail-Version: 0.96.0 OpenPGP: id=D076FFF1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Andre Oppermann Subject: Extended SYN cookies X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2010 09:18:18 -0000 Hi, folks, I have a few questions wrt the FreeBSD TCP extended syncookies. I'm quoting the explanation in the code: > * Timestamp we send: > * 31|................................|0 > * DDDDDDDDDDDDDDDDDDDDDDSSSSRRRRA5 > * D = MD5 Digest (third dword) (only as filler) What about the second MD5 dword? -- It doesn't seem to be used anywhere... > * S = Requested send window scale > * R = Requested receive window scale What's this snd_window rcv_window thing? I mean, why do you need to include in the cookie the TCP wscale option *you* adverised? Isn't it expected to be the same in all cases? > * A = SACK allowed > * 5 = TCP-MD5 enabled (not implemented yet) > * XORed with MD5 Digest (forth dword) Any reason for XOR'ing the timestamp with the MD5 Digest? > * The timestamp isn't cryptographically secure and doesn't need to be. What's the motivator of this comment? MD5 itself (used here) being cryptographically weak, or what? > * Some problems with SYN cookies remain however: > * Consider the problem of a recreated (and retransmitted) cookie. If the > * original SYN was accepted, the connection is established. The second > * SYN is inflight, and if it arrives with an ISN that falls within the > * receive window, the connection is killed. What do you mean by "recreated", specifically? Thanks! Kind regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1