On 17/10/17 - 04:00:01, Eric Dumazet wrote: > On Mon, Oct 16, 2017 at 11:37 PM, Christoph Paasch <cpaa...@apple.com> wrote: > > We already allow to enable TFO without a cookie by using the > > fastopen-sysctl and setting it to TFO_SERVER_COOKIE_NOT_REQD (0x200). > > This is safe to do in certain environments where we know that there > > isn't a malicous host (aka., data-centers). > > > > A server however might be talking to both sides (public Internet and > > data-center). So, this server would want to enable cookie-less TFO for > > the connections that go to the data-center while enforcing cookies for > > the traffic from the Internet. > > > > This patch exposes a socket-option to enable this (protected by > > CAP_NET_ADMIN). > > Have you thought instead of a route attribute ?
Another use-case for per-socket configuration is where the application-level protocol already provides an authentication mechanism in the first flight of data so that the cookie basically becomes redundant. In that case, it is useful to configure it on a per-socket basis if other services are running on this server as well. I can of course add the route attribute in the v2, but I think the sockopt has its use-case as well. > CAP_NET_ADMIN restriction is not really practical IMO. I'm fine with removing it. I added it because an unpreviliged user could more easily mount an amplification attack. But that is probably quite a stretch :) Christoph
