| Message ID | 20130816000523.GC11950@midget.suse.cz |
|---|---|
| State | RFC, archived |
| Delegated to: | David Miller |
| Headers | show |
Jiri Bohac <jbohac@suse.cz> wrote: > Rationale for the new values > - most packets are (1500 - headers); (1450 - headers) is not a huge waste and > prevents fallback to much lower values Still, 1410 seems weird. > - clients will rarely send MSS below 536, so that's a safe fallback Can you elaborate? You say 'is a safe fallback', yet it is removed in the patch? > - we need to keep the minimum (64) Why? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
First of all - I don't really care about the default values as long as they are tunable at run time. I'm fine with leaving the 8 valye MSS table as a default. On Fri, Aug 16, 2013 at 11:31:01PM +0200, Florian Westphal wrote: > Jiri Bohac <jbohac@suse.cz> wrote: > > Rationale for the new values > > - most packets are (1500 - headers); (1450 - headers) is not a huge waste and > > prevents fallback to much lower values > > Still, 1410 seems weird. I was thinking the path MTU would often be 1500 minus something for various tunnelling/encapsualtion along the path. The packets may have some options, so the 1450 was just a wild guess. If we have only 3 differrent MSS values, I feel it is better to waste 50 bytes on the "standard" 1500 MTU links instead of making packets with options and tunelled traffic fall back to something like 500. > > - clients will rarely send MSS below 536, so that's a safe fallback > > Can you elaborate? > You say 'is a safe fallback', yet it is removed in the patch? Yeah, sorry, I was writing the patch description before the patch itself; I noticed the 512 in the original table and thought it would be a good idea to keep this. > > - we need to keep the minimum (64) I don't know - I could imagine there is some embedded hardware that can't do fragmentation and advertises very low MSS instead, for example. I just felt removing this fallback could break things. I'm not sure.
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c index af0692f..0504bbe 100644 --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c @@ -148,15 +148,10 @@ static __u32 check_tcp_syn_cookie(__u32 cookie, __be32 saddr, __be32 daddr, int sysctl_tcp4_syncookies_mss[TCP_SYNCOOKIES_MSS_COUNT_MAX] = { 64, 512, - 536, - 1024, - 1440, - 1460, - 4312, - 8960, + 1450 - 40, /* update sysctl_tcp4_syncookies_mss_count accordingly */ }; -int sysctl_tcp4_syncookies_mss_count = 8; +int sysctl_tcp4_syncookies_mss_count = 3; /* * This value is the age (in seconds) of syncookies which will always be diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c index 4268448..ccdb880 100644 --- a/net/ipv6/syncookies.c +++ b/net/ipv6/syncookies.c @@ -28,15 +28,10 @@ int sysctl_tcp6_syncookies_mss[TCP_SYNCOOKIES_MSS_COUNT_MAX] = { 64, 512, - 536, - 1280 - 60, - 1480 - 60, - 1500 - 60, - 4460 - 60, - 9000 - 60, + 1450 - 60, /* update sysctl_tcp6_syncookies_mss_count accordingly */ }; -int sysctl_tcp6_syncookies_mss_count = 8; +int sysctl_tcp6_syncookies_mss_count = 3; /* * This value is the age (in seconds) of syncookies which will always be
Jakob Lell discovered that the sequence number that needs to be guessed to successfully spoof a TCP connection with syncookies only has 27 bits of entropy. Of the 32 bits, 3 are wasted by the 8 differrent RSS values. [1] This patch decreases the number of possible MSS values from 8 to 3, making the spoofing attack 8/3 times more difficult. Rationale for the new values - most packets are (1500 - headers); (1450 - headers) is not a huge waste and prevents fallback to much lower values - clients will rarely send MSS below 536, so that's a safe fallback - we need to keep the minimum (64) [1]: http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/ Signed-off-by: Jiri Bohac <jbohac@suse.cz> --- net/ipv4/syncookies.c | 9 ++------- net/ipv6/syncookies.c | 9 ++------- 2 files changed, 4 insertions(+), 14 deletions(-)