Currently, TFO only allows a single TFO-secret. This means that whenever the secret gets changed for key-rotation purposes, all the previously issued TFO-cookies become invalid. This means that clients will fallback to "regular" TCP, incurring a cost of one additional round-trip.
This patchset introduces a TFO key-pool that allows to more gracefully change the key. The size of the pool is 2 (this could be changed in the future through a sysctl if needed). When a client connects with an "old" TFO cookie, the server will now accept the data in the SYN and at the same time announce a new TFO-cookie to the client. We have seen a significant reduction of LINUX_MIB_TCPFASTOPENPASSIVEFAIL thanks to these patches. Invalid cookies are now solely observed when clients behind a NAT are getting a new public IP. Christoph Paasch (5): tcp: Create list of TFO-contexts tcp: TFO: search for correct cookie and accept data tcp: Print list of TFO-keys from proc tcp: Allow getsockopt of listener's keypool tcp: TFO - cleanup code duplication include/net/tcp.h | 2 + include/uapi/linux/snmp.h | 1 + net/ipv4/proc.c | 1 + net/ipv4/sysctl_net_ipv4.c | 41 +++++++--- net/ipv4/tcp.c | 15 ++-- net/ipv4/tcp_fastopen.c | 192 +++++++++++++++++++++++++++++++++++---------- 6 files changed, 193 insertions(+), 59 deletions(-) -- 2.16.2
