[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: TCP SYN Cookies for NetBSD
On 11/5/2012 6:03 PM, Mouse wrote:
Don't they break TCP's retransmission semantics? Certainly SYN cookies
as I understand them do. If the third packet of the three-way
handshake (the pure ACK) is lost, neither end is going to retransmit
ever, the active host because it thinks it has an established
connection and the passive host because it has - this is the whole
point of SYN cookies - no state to retransmit based on.
Thus, we have a half-open connection. If the active peer sends data
without expecting anything from the passive peer first, I'd expect an
RST. If the other way around, the connection is permanently wedged.
I don't consider either consequence acceptable.
It's not obvious to me from the patches - are these SYN cookies
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse%rodents-montreal.org@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Yes, that situation is possible. However I wouldn't go as far as to say
a connection is "permanently" wedged as eventually the client or the
server will attempt to transmit data, a keepalive if the connection was
never intended to transmit data, or the connection will time out due to
inactivity. If an RST is generated the peer will do the right thing and
clean up the connection.
This is obviously not ideal, but as a method to avoid syn cache
exhaustion (or to avoid creating a syn cache at all) I believe it is
acceptable. I also believe leaving syn cookies as an option (compile
time, sysctl, etc) for the user will give reasonable flexibility for
people who don't like this tradeoff.
Main Index |
Thread Index |