Re: TCP SYN Cookies for NetBSD

[Robert Elz <kre%munnari.OZ.AU@localhost>]

    Date:        Mon, 5 Nov 2012 21:03:32 -0500 (EST)
    From:        Mouse <mouse%Rodents-Montreal.ORG@localhost>
    Message-ID:  <201211060203.VAA17232%Sparkle.Rodents-Montreal.ORG@localhost>

  | If the third packet of the three-way handshake (the pure ACK) is lost,
  | neither end is going to retransmit ever,

That's true, but relatively harmless, in that TCP (or the apps) need
to have some mechanism to recover from this anyway, as it is a state
that TCP can get into even without SYN cookies (a server that uses
SYN cookies is no different from a server that has crashed just after
sending the 2nd packet of the 3 way handshake, causing the 3rd packet,
the ACK, to be lost, along with all state at the server).

With SYN cookies, the server certainly doesn't care when the ACK is lost,
(as you say, it has no state, so never even realises anything happened),
and the client has to be able to recover anyway, so all use of SYN
cookies really does is (possibly) increase the likelihood that the
recovery mechanism (whatever it is) will be exercised more frequently.

If there's no recovery mechanism, then enabling SYN cookie use on
the server is a good thing, as it will highlight the apps that need
remedial work of one for or another (which might be as simple as
a timeout on the wait for the initial message from the server, if
that is the way the protocol is designed).

kre