diff options
author | andre <andre@FreeBSD.org> | 2006-09-13 13:08:27 +0000 |
---|---|---|
committer | andre <andre@FreeBSD.org> | 2006-09-13 13:08:27 +0000 |
commit | b859d7a1c9ea4adb6c2eb9bf94994302511929e7 (patch) | |
tree | f82f3926dbc563ff12179a5ece6f4860923acd65 /sys/netinet/tcp_var.h | |
parent | 33d6440a5a026fdcc6f181482dbfbff75c64edb2 (diff) | |
download | FreeBSD-src-b859d7a1c9ea4adb6c2eb9bf94994302511929e7.zip FreeBSD-src-b859d7a1c9ea4adb6c2eb9bf94994302511929e7.tar.gz |
Rewrite of TCP syncookies to remove locking requirements and to enhance
functionality:
- Remove a rwlock aquisition/release per generated syncookie. Locking
is now integrated with the bucket row locking of syncache itself and
syncookies no longer add any additional lock overhead.
- Syncookie secrets are different for and stored per syncache buck row.
Secrets expire after 16 seconds and are reseeded on-demand.
- The computational overhead for syncookie generation and verification
is one MD5 hash computation as before.
- Syncache can be turned off and run with syncookies only by setting the
sysctl net.inet.tcp.syncookies_only=1.
This implementation extends the orginal idea and first implementation
of FreeBSD by using not only the initial sequence number field to store
information but also the timestamp field if present. This way we can
keep track of the entire state we need to know to recreate the session in
its original form. Almost all TCP speakers implement RFC1323 timestamps
these days. For those that do not we still have to live with the known
shortcomings of the ISN only SYN cookies. The use of the timestamp field
causes the timestamps to be randomized if syncookies are enabled.
The idea of SYN cookies is to encode and include all necessary information
about the connection setup state within the SYN-ACK we send back and thus
to get along without keeping any local state until the ACK to the SYN-ACK
arrives (if ever). Everything we need to know should be available from
the information we encoded in the SYN-ACK.
A detailed description of the inner working of the syncookies mechanism
is included in the comments in tcp_syncache.c.
Reviewed by: silby (slightly earlier version)
Sponsored by: TCP/IP Optimization Fundraise 2005
Diffstat (limited to 'sys/netinet/tcp_var.h')
-rw-r--r-- | sys/netinet/tcp_var.h | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index 7658485..35c2533 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -175,9 +175,10 @@ struct tcpcb { u_char rcv_scale; /* window scaling for recv window */ u_char request_r_scale; /* pending window scaling */ u_char requested_s_scale; /* unused, to be reused later */ - u_long ts_recent; /* timestamp echo data */ - + u_int32_t ts_recent; /* timestamp echo data */ u_long ts_recent_age; /* when last updated */ + u_int32_t ts_offset; /* our timestamp offset */ + tcp_seq last_ack_sent; /* experimental */ u_long snd_cwnd_prev; /* cwnd prior to retransmit */ @@ -537,8 +538,8 @@ void tcp_trace(int, int, struct tcpcb *, void *, struct tcphdr *, int); void tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq); void syncache_init(void); void syncache_unreach(struct in_conninfo *, struct tcphdr *); -int syncache_expand(struct in_conninfo *, struct tcphdr *, - struct socket **, struct mbuf *); +int syncache_expand(struct in_conninfo *, struct tcpopt *, + struct tcphdr *, struct socket **, struct mbuf *); int syncache_add(struct in_conninfo *, struct tcpopt *, struct tcphdr *, struct inpcb *, struct socket **, struct mbuf *); void syncache_chkrst(struct in_conninfo *, struct tcphdr *); |