Removing T/TCP and replacing it with something simpler
Mike Silbersack
silby at silby.com
Thu Oct 21 08:24:11 PDT 2004
On Thu, 21 Oct 2004, Andre Oppermann wrote:
> I want to bring this up for discussion prior to start working on it.
>
> I intend to remove T/TCP (transactional TCP) support from our TCP
> implementation for the following reasons:
That sounds good.
> o The client has to enable the option in the TCP SYN request to the server.
> If the server accepts it, then it returns a unique cookie generated from
> the IP address of the client and some random seed. On subsequent
> connections
> the client will include the cookie in the TCP SYN request and it will
> send the first chunk of payload in the SYN packet. If the cookie matches
I think that it would have to be slightly more complex than that for it to
be secure. Instead of using syncookie/RFC1948-like generation, just
randomly generate the cookie and store it in the tcp host cache. Then
steal the concept of NQNFS leases, giving the cookie a limited lifetime,
after which it must be reissued. I think you'll need to track two cookies
on the server side, to gracefully handle the cookie transition period...
Well, I'm sure there are many ways to do it, but I agree that it's
certainly doable; we have plenty of time to talk about the exact
implementation. My reason for avoiding the use of syncookies/RFC1948 in
the implementation is that relying on those pieces of code makes a FreeBSD
implementation easy, but would make an implementation in other OSes
potentially difficult.
> FUD Notice:
>
> If you haven't read and/or unstood the link above or TCP/IP Illustrated
> Volume 3 then please refrain from participating in this discussion!
Hey, I just looked in section 24.7 in Vol. 1, and it says nothing but good
things about T/TCP - you must be the one misunderstanding things here! :)
Mike "Silby" Silbersack
More information about the freebsd-net
mailing list