From owner-freebsd-current@FreeBSD.ORG Wed Jul 10 13:18:35 2013 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3FDC89F9; Wed, 10 Jul 2013 13:18:35 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.101]) by mx1.freebsd.org (Postfix) with ESMTP id 03C7B1CB2; Wed, 10 Jul 2013 13:18:34 +0000 (UTC) Received: from [78.35.164.14] (helo=fabiankeil.de) by smtprelay06.ispgateway.de with esmtpsa (SSLv3:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1UwuHk-0000H8-QS; Wed, 10 Jul 2013 15:18:20 +0200 Date: Wed, 10 Jul 2013 15:18:22 +0200 From: Fabian Keil To: Andre Oppermann Subject: Re: Improved SYN Cookies: Looking for testers Message-ID: <20130710151821.5a8cf38a@fabiankeil.de> In-Reply-To: <51DA68B8.6070201@freebsd.org> References: <51DA68B8.6070201@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA1; boundary="Sig_/bEiWjWD8oQNb.ag.VQbG9gv"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 13:18:35 -0000 --Sig_/bEiWjWD8oQNb.ag.VQbG9gv Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Andre Oppermann wrote: > We have a SYN cookie implementation for quite some time now but it > has some limitations with current realities for window scaling and > SACK encoding the in the few available bits. >=20 > This patch updates and improves SYN cookies mainly by: >=20 > a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN > (initial sequence number) without the use of timestamp bits. >=20 > b) switching to the very fast and cryptographically strong SipHash-2-4 > hash MAC algorithm to protect the SYN cookie against forgery. >=20 > The patch had been reviewed by dwmalone (cookies) and cperciva (siphash). >=20 > Please find it here for testing: >=20 > http://people.freebsd.org/~andre/syncookie-20130708.diff I've been using the patch for a couple of days and didn't notice any issues so far. Privoxy's regression tests continue to work as expected as well. BTW, I think kern/173309 could be closed. Fabian --Sig_/bEiWjWD8oQNb.ag.VQbG9gv Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlHdXx4ACgkQBYqIVf93VJ2/hwCgtKxRfpacubgmb4uvcQWAhKCW 8HAAnj6vE4HccN9hmWSFsBOE7+VMtXPB =gv2W -----END PGP SIGNATURE----- --Sig_/bEiWjWD8oQNb.ag.VQbG9gv--