From owner-freebsd-security Sat Jan 22 19: 6:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id CA8C115029 for ; Sat, 22 Jan 2000 19:06:35 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id TAA27073; Sat, 22 Jan 2000 19:06:27 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id TAA58553; Sat, 22 Jan 2000 19:06:27 -0800 (PST) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id TAA18458; Sat, 22 Jan 2000 19:06:26 -0800 (PST) From: Don Lewis Message-Id: <200001230306.TAA18458@salsa.gv.tsc.tdk.com> Date: Sat, 22 Jan 2000 19:06:26 -0800 In-Reply-To: <4.2.2.20000122083929.01a5aa90@localhost> References: <4.2.2.20000122083929.01a5aa90@localhost> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Brett Glass , Don Lewis Subject: Re: Re[2]: explanation and code for stream.c issues Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Jan 22, 8:52am, Brett Glass wrote: } Subject: Re: Re[2]: explanation and code for stream.c issues } True. But y'know, he does have a point. Shouldn't tcp_input() drop } or reject anything with certain combinations of flags really early on? } } About 15 years ago (has it been that long?) I wrote part of a TCP/IP } stack for a class at Stanford. The first statement in the routine } which was the equivalent of tcp_input() checksummed the packet. } The second one was a "case" (this was Pascal) that broke out } cases for every combination of the TCP option flags. (The } compiler implemented case statements as jump tables, so this } was fast.) } } Do you think it's worth doing that here, both for clarity and } for speed? It would probably help to catch all the issues involving } option flags, and it would be more efficient than the current } structure (which does lots of tests one at a time and is harder to } follow). The current code was written for speed rather than for clarity and tries to optimize the most commonly used path through the code. In the old days, CPUs were slow. Today, contemplate gigabit Ethernet ... I suspect that if you try to implement this as a big switch, you'll end up with either a lot of duplicate code or a bunch of gotos, and a lot of what happens depends at least as much on the state of the connection. Don't forget that the SYN and FIN bits can be trimmed off if they fall outside the window. RST is more of a unique case, but even it needs to pass sequence checks that depend on the state of the connection. I'm wondering if it might make more sense to generate IPv4 and IPv6 version unique versions of the code from a common m4 or cpp ancestor rather than to fill the code with a mass of ifdefs and inline protocol version tests. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message