Re: TCP SYN Cookies for NetBSD

[je <netbsd%8192.net@localhost>]

On 11/5/2012 6:03 PM, Mouse wrote:
> > [...SYN cookies...]
>
> Don't they break TCP's retransmission semantics?  Certainly SYN cookies
> as I understand them do.  If the third packet of the three-way
> handshake (the pure ACK) is lost, neither end is going to retransmit
> ever, the active host because it thinks it has an established
> connection and the passive host because it has - this is the whole
> point of SYN cookies - no state to retransmit based on.
>
> Thus, we have a half-open connection.  If the active peer sends data
> without expecting anything from the passive peer first, I'd expect an
> RST.  If the other way around, the connection is permanently wedged.
>
> I don't consider either consequence acceptable.
>
> It's not obvious to me from the patches - are these SYN cookies
> something else?
>
> /~\ The ASCII                             Mouse
> \ / Ribbon Campaign
>   X  Against HTML               mouse%rodents-montreal.org@localhost
> / \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Yes, that situation is possible. However I wouldn't go as far as to say 
a connection is "permanently" wedged as eventually the client or the 
server will attempt to transmit data, a keepalive if the connection was 
never intended to transmit data, or the connection will time out due to 
inactivity. If an RST is generated the peer will do the right thing and 
clean up the connection.

This is obviously not ideal, but as a method to avoid syn cache 
exhaustion (or to avoid creating a syn cache at all) I believe it is 
acceptable. I also believe leaving syn cookies as an option (compile 
time, sysctl, etc) for the user will give reasonable flexibility for 
people who don't like this tradeoff.

John