Hi, folks, I have a few questions wrt the FreeBSD TCP extended syncookies. I'm quoting the explanation in the code:
> * Timestamp we send: > * 31|................................|0 > * DDDDDDDDDDDDDDDDDDDDDDSSSSRRRRA5 > * D = MD5 Digest (third dword) (only as filler) What about the second MD5 dword? -- It doesn't seem to be used anywhere... > * S = Requested send window scale > * R = Requested receive window scale What's this snd_window rcv_window thing? I mean, why do you need to include in the cookie the TCP wscale option *you* adverised? Isn't it expected to be the same in all cases? > * A = SACK allowed > * 5 = TCP-MD5 enabled (not implemented yet) > * XORed with MD5 Digest (forth dword) Any reason for XOR'ing the timestamp with the MD5 Digest? > * The timestamp isn't cryptographically secure and doesn't need to be. What's the motivator of this comment? MD5 itself (used here) being cryptographically weak, or what? > * Some problems with SYN cookies remain however: > * Consider the problem of a recreated (and retransmitted) cookie. If the > * original SYN was accepted, the connection is established. The second > * SYN is inflight, and if it arrives with an ISN that falls within the > * receive window, the connection is killed. What do you mean by "recreated", specifically? Thanks! Kind regards, -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@acm.org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
