Subject: Re: SYN cookie ?
To: None <suxm@gnuchina.org>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-kern
Date: 04/19/2001 18:05:37
>             client           NetBSD Firewall           server
>             ------          ----------          ------
>    1.        SYN----------- - - - - - - - - - ->
>    2.           <------------SYN-ACK(cookie)
>    3.        ACK----------- - - - - - - - - - ->

Now, assume that the #3 packet is dropped.

At this point, the firewall using cookies has no connection state.

client is waiting for the server to send something.

The client now hangs forever waiting for a packet which will never
arrive.


> >Is it realistically feasible?  Not meaning "can it be done" but=
>  "can it be
> >done right"?

syn cookies cannot be done correctly because of the way TCP is
defined.

					- Bill