Re: Trimming TCP options

To: Mihai Chelaru <mihai.chelaru%NGNetworks.ro@localhost>
Subject: Re: Trimming TCP options
From: Chuck Swiger <cswiger%mac.com@localhost>
Date: Mon, 03 Jan 2011 14:04:19 -0800

Hi, Mihai--

I'd meant to reply to this earlier, but holiday travel interfered.  :-)

On Dec 30, 2010, at 7:06 AM, Mihai Chelaru wrote:
> On 12/30/10 00:45, Greg Troxel wrote:
>> Could you explain
>>  how long you've been running this
> 
> This is my workstation, up since yesterday with normal tasks - browsing,
> mail, radio, torrents, ssh/telnet/rdp client etc.

It's important to note that (most?) TCP stacks will resend SYN packets with 
fewer TCP options set if the initial SYN request doesn't get answered in some 
fashion.  To validate that your changes are working as expected, you should 
tcpdump filtering for SYN packets and watch out for duplicate SYNs being sent.

>>  how other implementations behave?  (Specifically, does this make us
>>  like the rest, or different?)
> 
> Bytes requested by each option:
> 
>           SACKP WScale Timestamps Use_EOL
> 
> NetBSD      4      4        12      N
> FreeBSD*    2-3    3-4    10-13     Y     
> Linux-2627  2      4        10      Y  
> Win2003     4      4        12      N(?)
> Cisco IOS   4      4        10      Y
> WinXP       4      4        12      N(?)
> Win7        4      4        ?       N(?)
> Required    2      3        10**    Y
> 
> * - FreeBSD starts/ends SACKPERM at 2 bytes boundary
>            ends WScale at 4 bytes boundary
>            ends TS at 4 bytes boundary
>            starts/ends MSS at 4 bytes boundary
> ** - 12 for non-SYN segments

Hmm, I find it more useful to describe TCP options by strings representing the 
options in the sequence they appear, which is the mechanism various OS 
fingerprinting tools like NMAP, p0f, etc use.

NetBSD: MNWSNNNT

Cisco IOS (11, 12): M
Cisco VPN concentrators: MNNS
FreeBSD (4.x & early 5.x): MNWNNT
FreeBSD (5.3+, 6.x): MNWNNTNNS
FreeBSD (7.x+): MNWST
Linux: MSTNW (although MTWSN and others can appear)
MacOS X: MNWNNTS (10.3 or older uses MNWNNT, similar to FreeBSD 4.x)
NMAP probes: WNMT
OpenBSD: MNNSNWNNT (HP/UX 11.x also uses this)
Solaris: NNTNWM
Win 98/ME: MNNS
Win 2000/XP SP2 or older: MNWNNS
Win 2000 (Server variants)/2003/XP (SP3): MNWNNTNNS

There can be a lot of variation depending on whether SACK, TCP timestamps, RFC 
1323 extensions, etc are enabled.  However, it was widely common to use "NNT" 
to ensure that the timestamp would be 32-bit aligned; and somewhat common to 
use "NNS" for similar reasons (although it shouldn't be required, as you've 
noted).

The approach you're using of compressing the options as best you can, and then 
adding TCPOPT_EOL(s) at the end to maintain the 32-bit alignment looks good.

Regards,
-- 
-Chuck

Follow-Ups:
- Re: Trimming TCP options
  - From: Mihai Chelaru

References:
- Trimming TCP options
  - From: Mihai Chelaru
- Re: Trimming TCP options
  - From: Greg Troxel
- Re: Trimming TCP options
  - From: Mihai Chelaru

Prev by Date: Re: Trimming TCP options
Next by Date: Re: Trimming TCP options
Previous by Thread: Re: Trimming TCP options
Next by Thread: Re: Trimming TCP options
Indexes:

Home | Main Index | Thread Index | Old Index