Re: TCP SYN Cookies for NetBSD

To: tech-net%netbsd.org@localhost
Subject: Re: TCP SYN Cookies for NetBSD
From: Alan Barrett <apb%cequrux.com@localhost>
Date: Tue, 6 Nov 2012 09:24:18 +0200

On Mon, 05 Nov 2012, Paul Goyette wrote:

While at the MeetBSD California un-conference over the weekend,I was approached by the originator of [1]. Looking throughthe archives, I don't see any replies or discussion, so Iwas wondering (along with John) if there's any merit to thesuggested code/patches? Has anyone with TCP expertise reviewedthem at all?

Are these SYN cookies to be used all the time without a SYN cache,or will there also be a finite sized SYN cache to allow the hostto avoid violating the TCP protocol (as long as the cache is notfull)?

If they are to be used all the time without a SYN cache, then Iagree with Mouse that they may cause too much harm. If there isalso a SYN cache and the harmful side-effects of SYN cookies ariseonly when the SYN cache is full, then I think that is acceptable.Exhaustion of a properly-sized SYN cache should be so rare as tooccur only when the host is under attack (or something that lookslike an attack), and under such circumstances it's acceptablefor the host's self-defence measures to inconvenience legitimateclients.


--apb (Alan Barrett)

Follow-Ups:
- Re: TCP SYN Cookies for NetBSD
  - From: je

References:
- TCP SYN Cookies for NetBSD
  - From: Paul Goyette

Prev by Date: Re: TCP SYN Cookies for NetBSD
Next by Date: Re: TCP SYN Cookies for NetBSD
Previous by Thread: Re: TCP SYN Cookies for NetBSD
Next by Thread: Re: TCP SYN Cookies for NetBSD
Indexes:

Home | Main Index | Thread Index | Old Index