diff options
| author | andre <andre@FreeBSD.org> | 2006-09-13 13:08:27 +0000 |
|---|---|---|
| committer | andre <andre@FreeBSD.org> | 2006-09-13 13:08:27 +0000 |
| commit | b859d7a1c9ea4adb6c2eb9bf94994302511929e7 (patch) | |
| tree | f82f3926dbc563ff12179a5ece6f4860923acd65 /sys/netinet/tcp_reass.c | |
| parent | 33d6440a5a026fdcc6f181482dbfbff75c64edb2 (diff) | |
| download | FreeBSD-src-b859d7a1c9ea4adb6c2eb9bf94994302511929e7.zip FreeBSD-src-b859d7a1c9ea4adb6c2eb9bf94994302511929e7.tar.gz | |
Rewrite of TCP syncookies to remove locking requirements and to enhance
functionality:
- Remove a rwlock aquisition/release per generated syncookie. Locking
is now integrated with the bucket row locking of syncache itself and
syncookies no longer add any additional lock overhead.
- Syncookie secrets are different for and stored per syncache buck row.
Secrets expire after 16 seconds and are reseeded on-demand.
- The computational overhead for syncookie generation and verification
is one MD5 hash computation as before.
- Syncache can be turned off and run with syncookies only by setting the
sysctl net.inet.tcp.syncookies_only=1.
This implementation extends the orginal idea and first implementation
of FreeBSD by using not only the initial sequence number field to store
information but also the timestamp field if present. This way we can
keep track of the entire state we need to know to recreate the session in
its original form. Almost all TCP speakers implement RFC1323 timestamps
these days. For those that do not we still have to live with the known
shortcomings of the ISN only SYN cookies. The use of the timestamp field
causes the timestamps to be randomized if syncookies are enabled.
The idea of SYN cookies is to encode and include all necessary information
about the connection setup state within the SYN-ACK we send back and thus
to get along without keeping any local state until the ACK to the SYN-ACK
arrives (if ever). Everything we need to know should be available from
the information we encoded in the SYN-ACK.
A detailed description of the inner working of the syncookies mechanism
is included in the comments in tcp_syncache.c.
Reviewed by: silby (slightly earlier version)
Sponsored by: TCP/IP Optimization Fundraise 2005
Diffstat (limited to 'sys/netinet/tcp_reass.c')
| -rw-r--r-- | sys/netinet/tcp_reass.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 18b20e7..2d0e8ca 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -837,7 +837,13 @@ findpcb: */ if ((thflags & (TH_RST|TH_ACK|TH_SYN)) != TH_SYN) { if ((thflags & (TH_RST|TH_ACK|TH_SYN)) == TH_ACK) { - if (!syncache_expand(&inc, th, &so, m)) { + /* + * Parse the TCP options here because + * syncookies need access to the reflected + * timestamp. + */ + tcp_dooptions(&to, optp, optlen, 0); + if (!syncache_expand(&inc, &to, th, &so, m)) { /* * No syncache entry, or ACK was not * for our SYN/ACK. Send a RST. @@ -1106,11 +1112,15 @@ after_listen: /* * If echoed timestamp is later than the current time, - * fall back to non RFC1323 RTT calculation. - */ - if ((to.to_flags & TOF_TS) && (to.to_tsecr != 0) && - TSTMP_GT(to.to_tsecr, ticks)) - to.to_tsecr = 0; + * fall back to non RFC1323 RTT calculation. Normalize + * timestamp if syncookies were used when this connection + * was established. + */ + if ((to.to_flags & TOF_TS) && (to.to_tsecr != 0)) { + to.to_tsecr =- tp->ts_offset; + if (TSTMP_GT(to.to_tsecr, ticks)) + to.to_tsecr = 0; + } /* * Process options only when we get SYN/ACK back. The SYN case |
