From owner-cvs-all@FreeBSD.ORG  Thu Jan 24 07:34:27 2008
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1991216A474
	for <cvs-all@FreeBSD.org>; Thu, 24 Jan 2008 07:34:27 +0000 (UTC)
	(envelope-from silby@silby.com)
Received: from relay00.pair.com (relay00.pair.com [209.68.5.9])
	by mx1.freebsd.org (Postfix) with SMTP id 9A56E13C4D3
	for <cvs-all@FreeBSD.org>; Thu, 24 Jan 2008 07:34:26 +0000 (UTC)
	(envelope-from silby@silby.com)
Received: (qmail 36376 invoked from network); 24 Jan 2008 07:07:45 -0000
Received: from unknown (HELO localhost) (unknown)
	by unknown with SMTP; 24 Jan 2008 07:07:45 -0000
X-pair-Authenticated: 209.68.2.70
Date: Thu, 24 Jan 2008 01:07:44 -0600 (CST)
From: Mike Silbersack <silby@silby.com>
To: Andre Oppermann <andre@freebsd.org>
In-Reply-To: <4797B77E.2090605@freebsd.org>
Message-ID: <20080124005006.D93697@odysseus.silby.com>
References: <200711200656.lAK6u4bc021279@repoman.freebsd.org>
	<4797B77E.2090605@freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Mike Silbersack <silby@FreeBSD.org>, kmacy@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org, src-committers@FreeBSD.org, freebsd-net@freebsd.org
Subject: Re: cvs commit: src/sys/netinet tcp_syncache.c
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the entire tree <cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2008 07:34:27 -0000


On Wed, 23 Jan 2008, Andre Oppermann wrote:

> OTOH the enforcement of this rule wasn't really there before and it
> may be argued that we've got a POLA violation here.  A careful reading

That's exactly the point.  We were not enforcing timestamps since... 
whenever the RFC1323 code went in.  Then we start enforcing them, and 
start getting bug reports while we're still in the beta phase.  That 
indicates to me that we would've been likely to see many reports as time 
went on.

If you want to put the check back in, but hide it behind a sysctl that is 
disabled by default, that would be ok with me.

I'm not generally opposed to security improvements that only affect edge 
cases... but being unable to connect is not an edge case!

-Mike