Re: [PATCH 00/19] tcp: Initial support for RFC5925 auth option

[Leonard Crestez]

On 9/25/21 4:35 AM, David Ahern wrote:
> On 9/23/21 1:38 AM, Leonard Crestez wrote:
> > On 9/22/21 11:23 PM, Francesco Ruggeri wrote:
> > > On Tue, Sep 21, 2021 at 9:15 AM Leonard Crestez <cdleonard@xxxxxxxxx>
> > > wrote:
> > > > * Sequence Number Extension not implemented so connections will flap
> > > > every ~4G of traffic.
> > >
> > > Could you expand on this?
> > > What exactly do you mean by flap? Will the connection be terminated?
> > > I assume that depending on the initial sequence numbers the first flaps
> > > may occur well before 4G.
> > > Do you use a SNE of 0 in the hash computation, or do you just not include
> > > the SNE in it?
> >
> > SNE is hardcoded to zero, with the logical consequence of incorrect
> > signatures on sequence number wrapping. The SNE has to be included
> > because otherwise all signatures would be invalid.
> >
> > You are correct that this can break much sooner than 4G of traffic, but
> > still in the GB range on average. I didn't test the exact behavior (not
> > clear how) but if signatures don't validate the connection will likely
> > timeout.
>
> This is for BGP and LDP connections. What's the expected frequency of
> rollover for large FIBs? Seems like it could be fairly often.

Implementing SNE is obviously required for standard conformance, I'm not 
claiming it is not needed. I will include this in a future version.

I skipped it because it has very few interactions with the rest of the 
code so it can be implemented separately. Many tests can pass just fine 
ignoring SNE.

--
Regards,
Leonard