Temporary feature: Runtime tuneable tcp initial sequence number

generation scheme.  Users may now select between the currently used
OpenBSD algorithm and the older random positive increment method.

While the OpenBSD algorithm is more secure, it also breaks TIME_WAIT
handling; this is causing trouble for an increasing number of folks.

To switch between generation schemes, one sets the sysctl
net.inet.tcp.tcp_seq_genscheme.  0 = random positive increments,
1 = the OpenBSD algorithm.  1 is still the default.

Once a secure _and_ compatible algorithm is implemented, this sysctl
will be removed.

Reviewed by: jlemon
Tested by: numerous subscribers of -net

1 files changed, 25 insertions, 0 deletions

diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c
index 221e541..b126cbd 100644
--- a/sys/netinet/tcp_timewait.c
+++ b/sys/netinet/tcp_timewait.c
@@ -139,6 +139,10 @@ static int	icmp_may_rst = 1;
 SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0, 
     "Certain ICMP unreachable messages may abort connections in SYN_SENT");
 
+static int	tcp_seq_genscheme = 1;
+SYSCTL_INT(_net_inet_tcp, OID_AUTO, tcp_seq_genscheme, CTLFLAG_RW,
+    &tcp_seq_genscheme, 0, "TCP ISN generation scheme");
+
 static void	tcp_cleartaocache __P((void));
 static void	tcp_notify __P((struct inpcb *, int));
 
@@ -182,6 +186,7 @@ tcp_init()
 {
 	int hashsize = TCBHASHSIZE;
 	
+	tcp_iss = arc4random();	/* wrong, but better than a constant */
 	tcp_ccgen = 1;
 	tcp_cleartaocache();
 
@@ -1107,6 +1112,26 @@ tcp6_ctlinput(cmd, sa, d)
 }
 #endif /* INET6 */
 
+tcp_seq
+tcp_new_isn()
+{
+	if ((tcp_seq_genscheme > 1) || (tcp_seq_genscheme < 0))
+		tcp_seq_genscheme = 1;
+
+	switch (tcp_seq_genscheme) {
+		case 0:	/*
+			 * Random positive increments
+			 */
+			tcp_iss += TCP_ISSINCR/2;
+			return tcp_iss;
+		case 1:	/*
+			 * OpemBSD randomized scheme
+			 */
+			return tcp_rndiss_next();
+	}
+
+}
+
 #define TCP_RNDISS_ROUNDS	16
 #define TCP_RNDISS_OUT	7200
 #define TCP_RNDISS_MAX	30000