mbox series

[net-next,0/5] tcp: Introduce a TFO key-pool for clean cookie-rotation

Message ID 20181214224007.54813-1-cpaasch@apple.com
Headers show
Series tcp: Introduce a TFO key-pool for clean cookie-rotation | expand

Message

Christoph Paasch Dec. 14, 2018, 10:40 p.m. UTC 
Currently, TFO only allows a single TFO-secret. This means that whenever
the secret gets changed for key-rotation purposes, all the previously
issued TFO-cookies become invalid. This means that clients will fallback
to "regular" TCP, incurring a cost of one additional round-trip.

This patchset introduces a TFO key-pool that allows to more gracefully
change the key. The size of the pool is 2 (this could be changed in the
future through a sysctl if needed). When a client connects with an "old"
TFO cookie, the server will now accept the data in the SYN and at the
same time announce a new TFO-cookie to the client.

We have seen a significant reduction of LINUX_MIB_TCPFASTOPENPASSIVEFAIL
thanks to these patches. Invalid cookies are now solely observed when
clients behind a NAT are getting a new public IP.


Christoph Paasch (5):
  tcp: Create list of TFO-contexts
  tcp: TFO: search for correct cookie and accept data
  tcp: Print list of TFO-keys from proc
  tcp: Allow getsockopt of listener's keypool
  tcp: TFO - cleanup code duplication

 include/net/tcp.h          |   2 +
 include/uapi/linux/snmp.h  |   1 +
 net/ipv4/proc.c            |   1 +
 net/ipv4/sysctl_net_ipv4.c |  41 +++++++---
 net/ipv4/tcp.c             |  15 ++--
 net/ipv4/tcp_fastopen.c    | 192 +++++++++++++++++++++++++++++++++++----------
 6 files changed, 193 insertions(+), 59 deletions(-)

Comments

David Miller Dec. 16, 2018, 8:19 p.m. UTC | #1 
From: Christoph Paasch <cpaasch@apple.com>
Date: Fri, 14 Dec 2018 14:40:02 -0800

> Currently, TFO only allows a single TFO-secret. This means that whenever
> the secret gets changed for key-rotation purposes, all the previously
> issued TFO-cookies become invalid. This means that clients will fallback
> to "regular" TCP, incurring a cost of one additional round-trip.
> 
> This patchset introduces a TFO key-pool that allows to more gracefully
> change the key. The size of the pool is 2 (this could be changed in the
> future through a sysctl if needed). When a client connects with an "old"
> TFO cookie, the server will now accept the data in the SYN and at the
> same time announce a new TFO-cookie to the client.
> 
> We have seen a significant reduction of LINUX_MIB_TCPFASTOPENPASSIVEFAIL
> thanks to these patches. Invalid cookies are now solely observed when
> clients behind a NAT are getting a new public IP.

Yuchung and Eric, please review.
Eric Dumazet Dec. 17, 2018, 5:54 a.m. UTC | #2 
On 12/16/2018 12:19 PM, David Miller wrote:
> From: Christoph Paasch <cpaasch@apple.com>
> Date: Fri, 14 Dec 2018 14:40:02 -0800
> 
>> Currently, TFO only allows a single TFO-secret. This means that whenever
>> the secret gets changed for key-rotation purposes, all the previously
>> issued TFO-cookies become invalid. This means that clients will fallback
>> to "regular" TCP, incurring a cost of one additional round-trip.
>>
>> This patchset introduces a TFO key-pool that allows to more gracefully
>> change the key. The size of the pool is 2 (this could be changed in the
>> future through a sysctl if needed). When a client connects with an "old"
>> TFO cookie, the server will now accept the data in the SYN and at the
>> same time announce a new TFO-cookie to the client.
>>
>> We have seen a significant reduction of LINUX_MIB_TCPFASTOPENPASSIVEFAIL
>> thanks to these patches. Invalid cookies are now solely observed when
>> clients behind a NAT are getting a new public IP.
> 
> Yuchung and Eric, please review.
> 

Thanks David, I will do now.