From owner-freebsd-current@FreeBSD.ORG Fri Jul 12 11:11:54 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 1A873503; Fri, 12 Jul 2013 11:11:54 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.31.37]) by mx1.freebsd.org (Postfix) with ESMTP id 835E31DB4; Fri, 12 Jul 2013 11:11:53 +0000 (UTC) Received: from [78.35.187.54] (helo=fabiankeil.de) by smtprelay03.ispgateway.de with esmtpsa (SSLv3:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1Uxb3o-00087f-D6; Fri, 12 Jul 2013 12:58:48 +0200 Date: Fri, 12 Jul 2013 12:56:46 +0200 From: Fabian Keil To: Andre Oppermann Subject: Re: Improved SYN Cookies: Looking for testers Message-ID: <20130712125640.6d194bd2@fabiankeil.de> In-Reply-To: <51DE6E86.6080707@freebsd.org> References: <51DA68B8.6070201@freebsd.org> <20130710151821.5a8cf38a@fabiankeil.de> <51DE6E86.6080707@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/+l5SWKY1Do2xlDqSnlUmZmj"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 Cc: freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jul 2013 11:11:54 -0000 --Sig_/+l5SWKY1Do2xlDqSnlUmZmj Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Andre Oppermann wrote: > On 10.07.2013 15:18, Fabian Keil wrote: > > Andre Oppermann wrote: > > > >> We have a SYN cookie implementation for quite some time now but it > >> has some limitations with current realities for window scaling and > >> SACK encoding the in the few available bits. [...] > >> http://people.freebsd.org/~andre/syncookie-20130708.diff > > > > I've been using the patch for a couple of days and didn't notice any > > issues so far. Privoxy's regression tests continue to work as expected > > as well. >=20 > Thanks for testing and reporting back. >=20 > Could you test with net.inet.tcp.log_debug and net.inet.tcp.syncookies_on= ly=3D1 > as well to bypass the syn cache entirely? I haven't noticed any issues with net.inet.tcp.syncookies_only=3D1. > It will give a bit of debug log output which is it telling you mostly abo= ut > rounding to the next nearest index value. You can send the output privat= ely > to me to spot unexpected outliers, if any. One unexpected outlier seems to be: Jul 11 12:42:51 r500 kernel: [10947] TCP: [10.0.0.1]:62972 to [10.0.0.1]:81= 18 tcpflags 0x18; tcp_do_segment: FIN_WAIT_2: Received 27 bytes o= f data after socket was closed, sending RST and removing tcpcb Jul 11 12:42:51 r500 kernel: [10947] TCP: [10.0.0.1]:62972 to [10.0.0.1]:81= 18 tcpflags 0x11; syncache_expand: Segment failed SYNCOOKIE authen= tication, segment rejected (probably spoofed) This also seems to have resulted in two reset packets: fk@r500 ~/test/wireshark $tcpdump -vv -n -r syncookie-test.pcap dst port 6= 2972 reading from file syncookie-test.pcap, link-type NULL (BSD loopback) 12:42:47.033832 IP (tos 0x0, ttl 64, id 17522, offset 0, flags [DF], proto = TCP (6), length 60, bad cksum 0 (->e248)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [S.], cksum 0x8c5f (correct), seq= 1633309846, ack 61471870, win 65535, options [mss 16344,nop,wscale 6,sackO= K,TS val 4243589075 ecr 4051741531], length 0 12:42:47.138107 IP (tos 0x0, ttl 64, id 17582, offset 0, flags [DF], proto = TCP (6), length 52, bad cksum 0 (->e214)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xef2f (correct), seq = 1, ack 183, win 1275, options [nop,nop,TS val 4243589180 ecr 4051741536], l= ength 0 12:42:47.785762 IP (tos 0x0, ttl 64, id 17592, offset 0, flags [DF], proto = TCP (6), length 120, bad cksum 0 (->e1c6)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x7209 (correct), seq= 1:69, ack 183, win 1275, options [nop,nop,TS val 4243589827 ecr 4051741536= ], length 68 12:42:47.945156 IP (tos 0x0, ttl 64, id 17609, offset 0, flags [DF], proto = TCP (6), length 52, bad cksum 0 (->e1f9)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xe80f (correct), seq = 69, ack 325, win 1275, options [nop,nop,TS val 4243589987 ecr 4051742343], = length 0 12:42:48.470035 IP (tos 0x0, ttl 64, id 17678, offset 0, flags [DF], proto = TCP (6), length 550, bad cksum 0 (->dfc2)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x3ce0 (correct), seq= 69:567, ack 325, win 1275, options [nop,nop,TS val 4243590511 ecr 40517423= 43], length 498 12:42:48.599754 IP (tos 0x0, ttl 64, id 17683, offset 0, flags [DF], proto = TCP (6), length 550, bad cksum 0 (->dfbd)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x0a10 (correct), seq= 567:1065, ack 325, win 1275, options [nop,nop,TS val 4243590641 ecr 405174= 3067], length 498 12:42:48.699161 IP (tos 0x0, ttl 64, id 17688, offset 0, flags [DF], proto = TCP (6), length 2465, bad cksum 0 (->d83d)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x92bd (correct), seq= 1065:3478, ack 325, win 1275, options [nop,nop,TS val 4243590741 ecr 40517= 43197], length 2413 12:42:48.824428 IP (tos 0x0, ttl 64, id 17706, offset 0, flags [DF], proto = TCP (6), length 52, bad cksum 0 (->e198)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xd2da (correct), seq = 3478, ack 592, win 1275, options [nop,nop,TS val 4243590867 ecr 4051743216]= , length 0 12:42:48.924148 IP (tos 0x0, ttl 64, id 17713, offset 0, flags [DF], proto = TCP (6), length 52, bad cksum 0 (->e191)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xd1dd (correct), seq = 3478, ack 639, win 1275, options [nop,nop,TS val 4243590966 ecr 4051743323]= , length 0 12:42:49.725732 IP (tos 0x0, ttl 64, id 17769, offset 0, flags [DF], proto = TCP (6), length 99, bad cksum 0 (->e12a)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x7969 (correct), seq= 3478:3525, ack 639, win 1275, options [nop,nop,TS val 4243591767 ecr 40517= 43323], length 47 12:42:49.833378 IP (tos 0x0, ttl 64, id 17784, offset 0, flags [DF], proto = TCP (6), length 52, bad cksum 0 (->e14a)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0xc9a7 (correct), seq = 3525, ack 882, win 1275, options [nop,nop,TS val 4243591876 ecr 4051744225]= , length 0 12:42:50.436702 IP (tos 0x0, ttl 64, id 17801, offset 0, flags [DF], proto = TCP (6), length 550, bad cksum 0 (->df47)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x3f05 (correct), seq= 3525:4023, ack 882, win 1275, options [nop,nop,TS val 4243592478 ecr 40517= 44225], length 498 12:42:50.539394 IP (tos 0x0, ttl 64, id 17847, offset 0, flags [DF], proto = TCP (6), length 5051, bad cksum 0 (->cd84)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x1b29 (correct), seq= 4023:9022, ack 882, win 1275, options [nop,nop,TS val 4243592581 ecr 40517= 45037], length 4999 12:42:50.639133 IP (tos 0x0, ttl 64, id 17860, offset 0, flags [DF], proto = TCP (6), length 7204, bad cksum 0 (->c50e)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x7f02 (correct), seq= 9022:16174, ack 882, win 1275, options [nop,nop,TS val 4243592681 ecr 4051= 745137], length 7152 12:42:50.673745 IP (tos 0x0, ttl 64, id 17867, offset 0, flags [DF], proto = TCP (6), length 16384, bad cksum 0 (->a12b)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0x1f1d (correct), seq = 16174:32506, ack 882, win 1275, options [nop,nop,TS val 4243592715 ecr 4051= 745137], length 16332 12:42:50.673796 IP (tos 0x0, ttl 64, id 17869, offset 0, flags [DF], proto = TCP (6), length 1244, bad cksum 0 (->dc4d)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0xf717 (correct), seq= 32506:33698, ack 882, win 1275, options [nop,nop,TS val 4243592715 ecr 405= 1745171], length 1192 12:42:50.769080 IP (tos 0x0, ttl 64, id 17883, offset 0, flags [DF], proto = TCP (6), length 16384, bad cksum 0 (->a11b)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [.], cksum 0x6a4e (correct), seq = 33698:50030, ack 882, win 1275, options [nop,nop,TS val 4243592811 ecr 4051= 745171], length 16332 12:42:50.769123 IP (tos 0x0, ttl 64, id 17885, offset 0, flags [DF], proto = TCP (6), length 2532, bad cksum 0 (->d735)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x4cde (correct), seq= 50030:52510, ack 882, win 1275, options [nop,nop,TS val 4243592811 ecr 405= 1745267], length 2480 12:42:50.869118 IP (tos 0x0, ttl 64, id 17908, offset 0, flags [DF], proto = TCP (6), length 13592, bad cksum 0 (->abea)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0xd9bf (correct), seq= 52510:66050, ack 882, win 1275, options [nop,nop,TS val 4243592911 ecr 405= 1745367], length 13540 12:42:50.980382 IP (tos 0x0, ttl 64, id 17938, offset 0, flags [DF], proto = TCP (6), length 550, bad cksum 0 (->debe)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0x9e13 (correct), seq= 66050:66548, ack 882, win 1275, options [nop,nop,TS val 4243593022 ecr 405= 1745383], length 498 12:42:51.080184 IP (tos 0x0, ttl 64, id 17953, offset 0, flags [DF], proto = TCP (6), length 3538, bad cksum 0 (->d303)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [P.], cksum 0xe297 (correct), seq= 66548:70034, ack 882, win 1275, options [nop,nop,TS val 4243593122 ecr 405= 1745578], length 3486 12:42:51.126696 IP (tos 0x0, ttl 64, id 17960, offset 0, flags [DF], proto = TCP (6), length 1484, bad cksum 0 (->db02)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [FP.], cksum 0xd00a (correct), se= q 70034:71466, ack 882, win 1275, options [nop,nop,TS val 4243593168 ecr 40= 51745578], length 1432 12:42:51.173301 IP (tos 0x0, ttl 64, id 17981, offset 0, flags [DF], proto = TCP (6), length 40, bad cksum 0 (->e091)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [R], cksum 0xb90f (correct), seq = 1633381313, win 0, length 0 12:42:51.173330 IP (tos 0x0, ttl 64, id 17983, offset 0, flags [DF], proto = TCP (6), length 40, bad cksum 0 (->e08f)!) 10.0.0.1.8118 > 10.0.0.1.62972: Flags [R], cksum 0xb90f (correct), seq = 1633381313, win 0, length 0 Client and server are running on the same system. As I don't usually use net.inet.tcp.log_debug and haven't been able to inte= ntionally reproduce the issue (but have seen it a few times), I'm not sure yet if the= behaviour is actually related to the SYN cookie changes at all. Fabian --Sig_/+l5SWKY1Do2xlDqSnlUmZmj Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlHf4O4ACgkQBYqIVf93VJ3xFQCeO0huZtcJZOizigu0Yt1zF9Kb Ph0AnjNBYkGiAnmYrZLXAp9Gly8giF54 =D0k2 -----END PGP SIGNATURE----- --Sig_/+l5SWKY1Do2xlDqSnlUmZmj--