From owner-freebsd-net@FreeBSD.ORG  Thu Jul 11 08:36:28 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 8DBC44C1
 for <freebsd-net@freebsd.org>; Thu, 11 Jul 2013 08:36:28 +0000 (UTC)
 (envelope-from andre@freebsd.org)
Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2])
 by mx1.freebsd.org (Postfix) with ESMTP id F30ED1ACF
 for <freebsd-net@freebsd.org>; Thu, 11 Jul 2013 08:36:27 +0000 (UTC)
Received: (qmail 87857 invoked from network); 11 Jul 2013 09:27:04 -0000
Received: from c00l3r.networx.ch (HELO [127.0.0.1]) ([62.48.2.2])
 (envelope-sender <andre@freebsd.org>)
 by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP
 for <freebsd-listen@fabiankeil.de>; 11 Jul 2013 09:27:04 -0000
Message-ID: <51DE6E86.6080707@freebsd.org>
Date: Thu, 11 Jul 2013 10:36:22 +0200
From: Andre Oppermann <andre@freebsd.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Fabian Keil <freebsd-listen@fabiankeil.de>
Subject: Re: Improved SYN Cookies: Looking for testers
References: <51DA68B8.6070201@freebsd.org>
 <20130710151821.5a8cf38a@fabiankeil.de>
In-Reply-To: <20130710151821.5a8cf38a@fabiankeil.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2013 08:36:28 -0000

On 10.07.2013 15:18, Fabian Keil wrote:
> Andre Oppermann <andre@freebsd.org> wrote:
>
>> We have a SYN cookie implementation for quite some time now but it
>> has some limitations with current realities for window scaling and
>> SACK encoding the in the few available bits.
>>
>> This patch updates and improves SYN cookies mainly by:
>>
>>    a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN
>>       (initial sequence number) without the use of timestamp bits.
>>
>>    b) switching to the very fast and cryptographically strong SipHash-2-4
>>       hash MAC algorithm to protect the SYN cookie against forgery.
>>
>> The patch had been reviewed by dwmalone (cookies) and cperciva (siphash).
>>
>> Please find it here for testing:
>>
>>    http://people.freebsd.org/~andre/syncookie-20130708.diff
>
> I've been using the patch for a couple of days and didn't notice any
> issues so far. Privoxy's regression tests continue to work as expected
> as well.

Thanks for testing and reporting back.

Could you test with net.inet.tcp.log_debug and net.inet.tcp.syncookies_only=1
as well to bypass the syn cache entirely?

It will give a bit of debug log output which is it telling you mostly about
rounding to the next nearest index value.  You can send the output privately
to me to spot unexpected outliers, if any.

> BTW, I think kern/173309 could be closed.

OK.

-- 
Andre