tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: TCP SYN Cookies for NetBSD

On 11/5/2012 6:03 PM, Mouse wrote:
[...SYN cookies...]

Don't they break TCP's retransmission semantics?  Certainly SYN cookies
as I understand them do.  If the third packet of the three-way
handshake (the pure ACK) is lost, neither end is going to retransmit
ever, the active host because it thinks it has an established
connection and the passive host because it has - this is the whole
point of SYN cookies - no state to retransmit based on.

Thus, we have a half-open connection.  If the active peer sends data
without expecting anything from the passive peer first, I'd expect an
RST.  If the other way around, the connection is permanently wedged.

I don't consider either consequence acceptable.

It's not obvious to me from the patches - are these SYN cookies
something else?

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
  X  Against HTML     
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Yes, that situation is possible. However I wouldn't go as far as to say a connection is "permanently" wedged as eventually the client or the server will attempt to transmit data, a keepalive if the connection was never intended to transmit data, or the connection will time out due to inactivity. If an RST is generated the peer will do the right thing and clean up the connection.

This is obviously not ideal, but as a method to avoid syn cache exhaustion (or to avoid creating a syn cache at all) I believe it is acceptable. I also believe leaving syn cookies as an option (compile time, sysctl, etc) for the user will give reasonable flexibility for people who don't like this tradeoff.


Home | Main Index | Thread Index | Old Index