Re: Improved SYN Cookies: Looking for testers

From: Fabian Keil <freebsd-listen_at_fabiankeil.de>
Date: Wed, 10 Jul 2013 15:18:22 +0200
Andre Oppermann <andre_at_freebsd.org> wrote:

> We have a SYN cookie implementation for quite some time now but it
> has some limitations with current realities for window scaling and
> SACK encoding the in the few available bits.
> 
> This patch updates and improves SYN cookies mainly by:
> 
>   a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN
>      (initial sequence number) without the use of timestamp bits.
> 
>   b) switching to the very fast and cryptographically strong SipHash-2-4
>      hash MAC algorithm to protect the SYN cookie against forgery.
> 
> The patch had been reviewed by dwmalone (cookies) and cperciva (siphash).
> 
> Please find it here for testing:
> 
>   http://people.freebsd.org/~andre/syncookie-20130708.diff

I've been using the patch for a couple of days and didn't notice any
issues so far. Privoxy's regression tests continue to work as expected
as well.

BTW, I think kern/173309 could be closed.

Fabian

Received on Wed Jul 10 2013 - 11:18:35 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:39 UTC