Eric Dumazet <eduma...@google.com> wrote: > On Thu, Sep 24, 2015 at 7:14 AM, Jovi Zhangwei <j...@cloudflare.com> wrote: > > From f455dc3958593250909627474100f6cc5c158a5c Mon Sep 17 00:00:00 2001 > > From: Marek Majkowski <ma...@cloudflare.com> > > Date: Fri, 11 Sep 2015 06:05:07 -0700 > > Subject: [PATCH] tcp: Use absolute system clock for TCP timestamps > > > > Using TCP timestamps is beneficial due for to its purpose in PAWS and when > > its role when SYN cookies are enabled. In practice though TCP timestamps are > > often disabled due to being a perceived security issue - they leak Linux > > system uptime. > > > > This patch introduces a kernel option that makes TCP timestamp always return > > an absolute value derived from a system clock as opposed to jiffies from > > boot. > > > > This patch is based on the approach taken by grsecurity: > > https://grsecurity.net/~spender/random_timestamp.diff > >
I did not see the proposed patch because it didn't make this list, but I do not like the patch linked to above. With HZ=1000 the clock wraps every 49 days anyway. If thats is still deemed a problem, then the proposed solution doesn't help since all this does is add some 'random uptime' when the machine is booted so remote monitoring will easily give a good approximation of real uptime. Really, where is the problem...? > TCP stack uses tcp_time_stamp internally, we do not want to add > overhead adding an offset on all places. > > tp->lsndtime is an example, but we have others. > > Therefore, I suggest you add a new function and use it only where needed. Agreed, the mangling should only be performed when writing ts stamp into tcp header, and undone when reading ts echo from network. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
