diff options
author | silby <silby@FreeBSD.org> | 2001-07-08 02:20:47 +0000 |
---|---|---|
committer | silby <silby@FreeBSD.org> | 2001-07-08 02:20:47 +0000 |
commit | 2be73222cb19a5095c4726a24bf5b1a64fbc420f (patch) | |
tree | fef63dda5be2e0301de334e984f17a9b61cf3d84 /sys/netinet/tcp_seq.h | |
parent | 6027a078967acc487d07764badb87d2df9e6a48a (diff) | |
download | FreeBSD-src-2be73222cb19a5095c4726a24bf5b1a64fbc420f.zip FreeBSD-src-2be73222cb19a5095c4726a24bf5b1a64fbc420f.tar.gz |
Temporary feature: Runtime tuneable tcp initial sequence number
generation scheme. Users may now select between the currently used
OpenBSD algorithm and the older random positive increment method.
While the OpenBSD algorithm is more secure, it also breaks TIME_WAIT
handling; this is causing trouble for an increasing number of folks.
To switch between generation schemes, one sets the sysctl
net.inet.tcp.tcp_seq_genscheme. 0 = random positive increments,
1 = the OpenBSD algorithm. 1 is still the default.
Once a secure _and_ compatible algorithm is implemented, this sysctl
will be removed.
Reviewed by: jlemon
Tested by: numerous subscribers of -net
Diffstat (limited to 'sys/netinet/tcp_seq.h')
-rw-r--r-- | sys/netinet/tcp_seq.h | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/sys/netinet/tcp_seq.h b/sys/netinet/tcp_seq.h index 9d4adc8..9307347 100644 --- a/sys/netinet/tcp_seq.h +++ b/sys/netinet/tcp_seq.h @@ -81,6 +81,24 @@ #ifdef _KERNEL extern tcp_cc tcp_ccgen; /* global connection count */ +/* + * Increment for tcp_iss each second. + * This is designed to increment at the standard 250 KB/s, + * but with a random component averaging 128 KB. + * We also increment tcp_iss by a quarter of this amount + * each time we use the value for a new connection. + * If defined, the tcp_random18() macro should produce a + * number in the range [0-0x3ffff] that is hard to predict. + * + * The variable tcp_iss and tcp_random18() are only used + * by sequence number generation scheme 0. + */ +#ifndef tcp_random18 +#define tcp_random18() (arc4random() & 0x3ffff) +#endif +#define TCP_ISSINCR (122*1024 + tcp_random18()) + +extern tcp_seq tcp_iss; #else #define TCP_ISSINCR (250*1024) /* increment for tcp_iss each second */ #endif /* _KERNEL */ |