Re: TCP SYN Cookies for NetBSD

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

> If you have N% packet loss (for reasonable values of N), and if the
> losses are evenly distributed per packet, then SYN cookies amplify
> the problem from "N% of packets get lost but retransmission causes
> most TCP connections to work anyway" to "N% of TCP connections get
> into this stuck state".

True...but only if they are always used.  If, as kre outlined, SYN
cookies are used only when the TCP is under attack heavy enough to
overload the SYN cache, it's "N% of TCP connections when under attack".
(And don't forget that N will in general be peer-dependent.)

Since the alternatives seem to be crashing outright or dropping
connection attempts on the floor, I don't think this is all that bad a
failure mode.  The wedged connections are a serious downside, but I
think they're a less bad downside than the available alternatives.

At least, assuming the SYN cache is blown out because it's under
attack.  If it's under real overload, SYN cookies don't help and will
probably hurt (because, in addition to the connections dropped for lack
of resources, there's that N% that will get stuck half-open.)

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B