mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-18 10:35:55 +00:00
81d392a09d
information into the ISN (initial sequence number) without the additional use of timestamp bits and switching to the very fast and cryptographically strong SipHash-2-4 MAC hash algorithm to protect the SYN cookie against forgeries. The purpose of SYN cookies is to encode all necessary session state in the 32 bits of our initial sequence number to avoid storing any information locally in memory. This is especially important when under heavy spoofed SYN attacks where we would either run out of memory or the syncache would fill with bogus connection attempts swamping out legitimate connections. The original SYN cookies method only stored an indexed MSS values in the cookie. This isn't sufficient anymore and breaks down in the presence of WSCALE information which is only exchanged during SYN and SYN-ACK. If we can't keep track of it then we may severely underestimate the available send or receive window. This is compounded with large windows whose size information on the TCP segment header is even lower numerically. A number of years back SYN cookies were extended to store the additional state in the TCP timestamp fields, if available on a connection. While timestamps are common among the BSD, Linux and other *nix systems Windows never enabled them by default and thus are not present for the vast majority of clients seen on the Internet. The common parameters used on TCP sessions have changed quite a bit since SYN cookies very invented some 17 years ago. Today we have a lot more bandwidth available making the use window scaling almost mandatory. Also SACK has become standard making recovering from packet loss much more efficient. This change moves all necessary information into the ISS removing the need for timestamps. Both the MSS (16 bits) and send WSCALE (4 bits) are stored in 3 bit indexed form together with a single bit for SACK. While this is significantly less than the original range, it is sufficient to encode all common values with minimal rounding. The MSS depends on the MTU of the path and with the dominance of ethernet the main value seen is around 1460 bytes. Encapsulations for DSL lines and some other overheads reduce it by a few more bytes for many connections seen. Rounding down to the next lower value in some cases isn't a problem as we send only slightly more packets for the same amount of data. The send WSCALE index is bit more tricky as rounding down under-estimates the available send space available towards the remote host, however a small number values dominate and are carefully selected again. The receive WSCALE isn't encoded at all but recalculated based on the local receive socket buffer size when a valid SYN cookie returns. A listen socket buffer size is unlikely to change while active. The index values for MSS and WSCALE are selected for minimal rounding errors based on large traffic surveys. These values have to be periodically validated against newer traffic surveys adjusting the arrays tcp_sc_msstab[] and tcp_sc_wstab[] if necessary. In addition the hash MAC to protect the SYN cookies is changed from MD5 to SipHash-2-4, a much faster and cryptographically secure algorithm. Reviewed by: dwmalone Tested by: Fabian Keil <fk@fabiankeil.de> |
||
|---|---|---|
| .. | ||
| files | ||
| files.amd64 | ||
| files.arm | ||
| files.i386 | ||
| files.ia64 | ||
| files.mips | ||
| files.pc98 | ||
| files.powerpc | ||
| files.sparc64 | ||
| kern.mk | ||
| kern.post.mk | ||
| kern.pre.mk | ||
| kmod_syms.awk | ||
| kmod.mk | ||
| ldscript.amd64 | ||
| ldscript.arm | ||
| ldscript.i386 | ||
| ldscript.ia64 | ||
| ldscript.mips | ||
| ldscript.mips.cfe | ||
| ldscript.mips.mips64 | ||
| ldscript.mips.octeon1 | ||
| ldscript.powerpc | ||
| ldscript.powerpc64 | ||
| ldscript.sparc64 | ||
| Makefile.amd64 | ||
| Makefile.arm | ||
| Makefile.i386 | ||
| Makefile.ia64 | ||
| Makefile.mips | ||
| Makefile.pc98 | ||
| Makefile.powerpc | ||
| Makefile.sparc64 | ||
| makeLINT.mk | ||
| makeLINT.sed | ||
| newvers.sh | ||
| NOTES | ||
| options | ||
| options.amd64 | ||
| options.arm | ||
| options.i386 | ||
| options.ia64 | ||
| options.mips | ||
| options.pc98 | ||
| options.powerpc | ||
| options.sparc64 | ||
| systags.sh | ||
| WITHOUT_SOURCELESS | ||
| WITHOUT_SOURCELESS_HOST | ||
| WITHOUT_SOURCELESS_UCODE | ||