Improved SYN Cookies: Looking for testers
Fabian Keil
freebsd-listen at fabiankeil.de
Wed Jul 10 13:18:35 UTC 2013
Andre Oppermann <andre at freebsd.org> wrote:
> We have a SYN cookie implementation for quite some time now but it
> has some limitations with current realities for window scaling and
> SACK encoding the in the few available bits.
>
> This patch updates and improves SYN cookies mainly by:
>
> a) encoding of MSS, WSCALE (window scaling) and SACK into the ISN
> (initial sequence number) without the use of timestamp bits.
>
> b) switching to the very fast and cryptographically strong SipHash-2-4
> hash MAC algorithm to protect the SYN cookie against forgery.
>
> The patch had been reviewed by dwmalone (cookies) and cperciva (siphash).
>
> Please find it here for testing:
>
> http://people.freebsd.org/~andre/syncookie-20130708.diff
I've been using the patch for a couple of days and didn't notice any
issues so far. Privoxy's regression tests continue to work as expected
as well.
BTW, I think kern/173309 could be closed.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20130710/2cfceb6d/attachment.sig>
More information about the freebsd-net
mailing list