Re: [PATCH 1/3] Support arbitrary initial TCP timestamps

From: Glenn Griffin
Date: Mon Feb 18 2008 - 17:38:40 EST

Next message: Dan Williams: "Re: [RFC v3 4/7] dmaengine: Add slave DMA interface"
Previous message: Borislav Petkov: "Re: 2.6.25-rc1/2 CD/DVD burning broken"
In reply to: David Miller: "Re: [PATCH 1/3] Support arbitrary initial TCP timestamps"
Next in thread: Glenn Griffin: "Re: [PATCH 1/3] Support arbitrary initial TCP timestamps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Adding yet another member to the already bloated tcp_sock structure to
> implement this is too high a cost.

Yes, I was worried that would be deemed too high of a cost, but it was
the most efficient way I could think to accomplish what I wanted.

> I would instead prefer that there be some global random number
> calculated when the first TCP socket is created, and use that as a
> global offset. You can even recompute it every few hours if you
> like.

That would work fine if my mine purpose was to randomize the tcp
timestamp to mitigate the leak in information regarding uptime, but
despite the brief description, that's only a side effect of what I
intended to do. What I wanted was a way to be able to choose an initial
tcp timestamp for a particular connection that was not tied directly to
jiffies.

The two patches following this show my intended use case. I intend to
enhance syncookie support to allow it to support advanced tcp options
(sack and window scaling). Normally syncookies encode the bare minimum
state of a connection in the ISN they choose, but the 32bit ISN isn't
enough to encode advanced tcp options so you are left with a working but
crippled tcp stack during a synflood attack. If in addition to choosing
an ISN we are able to choose an initial tcp timestamp, we are then able
to encode an additional 32 bits of information that can contain more of
the advanced tcp options.

This stems from a discussion about implementing IPv6 support for
syncookies, and the main concern being that syncookies disabled too many
valuable tcp features to be relevant on modern systems. Many people
stood in opposition to that statement, but it did not seem as though a
general consensus was reached. http://lkml.org/lkml/2008/2/4/396

I'm always open to alternatives.

--Glenn
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dan Williams: "Re: [RFC v3 4/7] dmaengine: Add slave DMA interface"
Previous message: Borislav Petkov: "Re: 2.6.25-rc1/2 CD/DVD burning broken"
In reply to: David Miller: "Re: [PATCH 1/3] Support arbitrary initial TCP timestamps"
Next in thread: Glenn Griffin: "Re: [PATCH 1/3] Support arbitrary initial TCP timestamps"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]