>Synopsis: tcp keep-alives sent without timestamps
>Category: kernel
>Environment:
System : OpenBSD 5.7
Details : OpenBSD 5.7-current (GENERIC) #860: Mon Apr 13 20:58:42
MDT 2015
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
TCP keep-alive messages sent by OpenBSD do not include timestamp
options. When using pf tcp normalisation, this breaks eg. ssh(1)
from OpenBSD to illumos after transmission of a keep-alive.
On (at least) illumos, receiving an empty ACK like this in a
connection which was initiated using timestamps in the SYN, the
following data packets sent by the illumos host will not include
timestamps either (I'm discussing on their mailing lists [0]
whether that makes sense). This is a problem if those data
packets are scrubbed with reassemble tcp when received by
OpenBSD; they will get dropped, because previous data packets
*did* include timestamps [pf_norm.c:1252 onwards].
>How-To-Repeat:
- set sysctl net.inet.tcp.keepidle to a low value
- open a tcp connection with SO_KEEPALIVE to an illumos host,
eg. using ssh (TCPKeepAlive=yes is the default)
- let the connection idle for half the amount of
net.inet.tcp.keepidle
- observe that data packets get delivered to the illumos host,
but no data packets make it back. With 'pfctl -x notice',
observe that pf_norm.c:1283 is reached.
>Fix:
Include timestamp options in TCP keep-alive ACKs when the
connection uses them for other packets.
[0]:
https://www.listbox.com/member/archive/182193/2015/04/sort/time_rev/page/1/entry/0:1/20150414115040:F678B734-E2BD-11E4-A441-A07D3EA1AED1/
--
Lauri Tirkkonen | lotheac @ IRCnet
