On Fri, 7 Mar 2003 09:35:06 +0100
Martin Husemann <martin@duskware.de> wrote:

> Could someone please remind me why the syn-cookie aproach was considered bad?

I've always thought it was a bad idea because you can't properly preserve
all of the TCP options that arrive with the SYN, including stuff like
MSS, SACK ok, timestamps, etc.  Now, I think that you *could* actually
squeeze the important stuff into the sequence number, but then it wouldn't
be very random, because you wouldn't have many extra bits to play with.

I was a little surprised to see that FreeBSD now uses SYN cookies.
A brief perusal of the code suggests that they assume that the MSS will
compress into just a couple of bits, which could present some interesting
problems, especially with things like MSS clamping (another possibly 
questionable hack, but, hey, there it is).  I didn't read on to see what
they were doing about window scaling.

As far as the SACK okay and the rest of it, well, unexpectedly providing
timestamps or SACK options really *shouldn't* confuse a modern TCP
implementation.  OTOH, it *is* strictly speaking a violation of the
appropriate standards.

Did I read the FreeBSD code right, or am I just confused?

Kevin
kml@selresearch.net