Andre Oppermann <andre_at_freebsd.org> wrote: > We have a SYN cookie implementation for quite some time now but it > has some limitations with current realities for window scaling and > SACK encoding the in the few available bits. > > This patch updates and improves SYN cookies mainly by: > > a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN > (initial sequence number) without the use of timestamp bits. > > b) switching to the very fast and cryptographically strong SipHash-2-4 > hash MAC algorithm to protect the SYN cookie against forgery. > > The patch had been reviewed by dwmalone (cookies) and cperciva (siphash). > > Please find it here for testing: > > http://people.freebsd.org/~andre/syncookie-20130708.diff I've been using the patch for a couple of days and didn't notice any issues so far. Privoxy's regression tests continue to work as expected as well. BTW, I think kern/173309 could be closed. Fabian
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:39 UTC