From patchwork Fri Dec 14 22:40:02 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 1013753 Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=apple.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.b="EcPrEpY3"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43GlrG051jz9s47 for ; Sat, 15 Dec 2018 09:40:46 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730632AbeLNWkp (ORCPT ); Fri, 14 Dec 2018 17:40:45 -0500 Received: from nwk-aaemail-lapp02.apple.com ([17.151.62.67]:49964 "EHLO nwk-aaemail-lapp02.apple.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729803AbeLNWkl (ORCPT ); Fri, 14 Dec 2018 17:40:41 -0500 Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.22/8.16.0.22) with SMTP id wBEMVwMP033711; Fri, 14 Dec 2018 14:40:37 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-transfer-encoding : sender : from : to : cc : subject : date : message-id; s=20180706; bh=N5Uog8pU86MSurYI3Fjypkja3mG6M3NCjigK/Zhswlc=; b=EcPrEpY34IKqhM+48M87BnGfwebn6lmaaaeIGuecWjiGVuyFYek1MZoOizITkG6K+U7Y EEAEAgMeg565VSAVbhxEII25rMIGagr6SNy+0JKGmZKEbOdDRoo3JJs97BKuao7DW2sl mY4c1e0I3RCCi7EvfYoDxcKQF5Rc1WNs8XoSaEIM/D+ob2OgqeQd0ho+PYp1jGwjfj5D vHLVSpbedB4U0xw53SL6WyawiIjNmfDzh/4dsGsr0C9/z+ucl63LfRrI+IKyJ/hoWCXx FbypxVKuPcLFVw/WOm6xLZ+kDQMOldeOMtdE7y+KFdtJUpjhjzlTZ7CVVIf87b80nXcH PA== Received: from ma1-mtap-s03.corp.apple.com (ma1-mtap-s03.corp.apple.com [17.40.76.7]) by nwk-aaemail-lapp02.apple.com with ESMTP id 2p8bdughae-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 14 Dec 2018 14:40:37 -0800 Content-transfer-encoding: 7BIT Received: from nwk-mmpp-sz09.apple.com (nwk-mmpp-sz09.apple.com [17.128.115.80]) by ma1-mtap-s03.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPS id <0PJR0038Q0BMQOE0@ma1-mtap-s03.corp.apple.com>; Fri, 14 Dec 2018 14:40:37 -0800 (PST) Received: from process_viserion-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) id <0PJQ00400ZRHD500@nwk-mmpp-sz09.apple.com>; Fri, 14 Dec 2018 14:40:35 -0800 (PST) X-Va-A: X-Va-T-CD: 4b1e0bf36502e052fc75ad21b706ed24 X-Va-E-CD: 02215a606e8b564bb47224958c98aecf X-Va-R-CD: a8d4fb39de16bbd3f721846cc7ed01c3 X-Va-CD: 0 X-Va-ID: 52498082-c9c1-4904-961f-75cacfdaa2d6 X-V-A: X-V-T-CD: 5c1d590bbb3e9640019563b4ec412a7e X-V-E-CD: 02215a606e8b564bb47224958c98aecf X-V-R-CD: a8d4fb39de16bbd3f721846cc7ed01c3 X-V-CD: 0 X-V-ID: 52a73a8e-7f93-473d-8cc6-7a86be09f4b5 Received: from process_milters-daemon.nwk-mmpp-sz09.apple.com by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) id <0PJR00F0009AI500@nwk-mmpp-sz09.apple.com>; Fri, 14 Dec 2018 14:40:30 -0800 (PST) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-12-14_13:,, signatures=0 Received: from localhost ([17.192.155.217]) by nwk-mmpp-sz09.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPSA id <0PJR00GAV0BISV00@nwk-mmpp-sz09.apple.com>; Fri, 14 Dec 2018 14:40:30 -0800 (PST) From: Christoph Paasch To: netdev@vger.kernel.org Cc: Eric Dumazet , Yuchung Cheng , David Miller Subject: [PATCH net-next 0/5] tcp: Introduce a TFO key-pool for clean cookie-rotation Date: Fri, 14 Dec 2018 14:40:02 -0800 Message-id: <20181214224007.54813-1-cpaasch@apple.com> X-Mailer: git-send-email 2.16.2 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-14_13:, , signatures=0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Currently, TFO only allows a single TFO-secret. This means that whenever the secret gets changed for key-rotation purposes, all the previously issued TFO-cookies become invalid. This means that clients will fallback to "regular" TCP, incurring a cost of one additional round-trip. This patchset introduces a TFO key-pool that allows to more gracefully change the key. The size of the pool is 2 (this could be changed in the future through a sysctl if needed). When a client connects with an "old" TFO cookie, the server will now accept the data in the SYN and at the same time announce a new TFO-cookie to the client. We have seen a significant reduction of LINUX_MIB_TCPFASTOPENPASSIVEFAIL thanks to these patches. Invalid cookies are now solely observed when clients behind a NAT are getting a new public IP. Christoph Paasch (5): tcp: Create list of TFO-contexts tcp: TFO: search for correct cookie and accept data tcp: Print list of TFO-keys from proc tcp: Allow getsockopt of listener's keypool tcp: TFO - cleanup code duplication include/net/tcp.h | 2 + include/uapi/linux/snmp.h | 1 + net/ipv4/proc.c | 1 + net/ipv4/sysctl_net_ipv4.c | 41 +++++++--- net/ipv4/tcp.c | 15 ++-- net/ipv4/tcp_fastopen.c | 192 +++++++++++++++++++++++++++++++++++---------- 6 files changed, 193 insertions(+), 59 deletions(-)