On 10.07.2013 15:18, Fabian Keil wrote:
Andre Oppermann <an...@freebsd.org> wrote:We have a SYN cookie implementation for quite some time now but it has some limitations with current realities for window scaling and SACK encoding the in the few available bits. This patch updates and improves SYN cookies mainly by: a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN (initial sequence number) without the use of timestamp bits. b) switching to the very fast and cryptographically strong SipHash-2-4 hash MAC algorithm to protect the SYN cookie against forgery. The patch had been reviewed by dwmalone (cookies) and cperciva (siphash). Please find it here for testing: http://people.freebsd.org/~andre/syncookie-20130708.diffI've been using the patch for a couple of days and didn't notice any issues so far. Privoxy's regression tests continue to work as expected as well.
Thanks for testing and reporting back. Could you test with net.inet.tcp.log_debug and net.inet.tcp.syncookies_only=1 as well to bypass the syn cache entirely? It will give a bit of debug log output which is it telling you mostly about rounding to the next nearest index value. You can send the output privately to me to spot unexpected outliers, if any.
BTW, I think kern/173309 could be closed.
OK. -- Andre _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
