Re: [PATCH net] tcp: md5: do not send silly options in SYNCOOKIES

Wed, 01 Jul 2020 17:38:18 -0700 

From: Eric Dumazet <eduma...@google.com>
Date: Wed,  1 Jul 2020 12:41:23 -0700

> Whenever cookie_init_timestamp() has been used to encode
> ECN,SACK,WSCALE options, we can not remove the TS option in the SYNACK.
> 
> Otherwise, tcp_synack_options() will still advertize options like WSCALE
> that we can not deduce later when receiving the packet from the client
> to complete 3WHS.
> 
> Note that modern linux TCP stacks wont use MD5+TS+SACK in a SYN packet,
> but we can not know for sure that all TCP stacks have the same logic.
> 
> Before the fix a tcpdump would exhibit this wrong exchange :
> 
> 10:12:15.464591 IP C > S: Flags [S], seq 4202415601, win 65535, options 
> [nop,nop,md5 valid,mss 1400,sackOK,TS val 456965269 ecr 0,nop,wscale 8], 
> length 0
> 10:12:15.464602 IP S > C: Flags [S.], seq 253516766, ack 4202415602, win 
> 65535, options [nop,nop,md5 valid,mss 1400,nop,nop,sackOK,nop,wscale 8], 
> length 0
> 10:12:15.464611 IP C > S: Flags [.], ack 1, win 256, options [nop,nop,md5 
> valid], length 0
> 10:12:15.464678 IP C > S: Flags [P.], seq 1:13, ack 1, win 256, options 
> [nop,nop,md5 valid], length 12
> 10:12:15.464685 IP S > C: Flags [.], ack 13, win 65535, options [nop,nop,md5 
> valid], length 0
> 
> After this patch the exchange looks saner :
> 
> 11:59:59.882990 IP C > S: Flags [S], seq 517075944, win 65535, options 
> [nop,nop,md5 valid,mss 1400,sackOK,TS val 1751508483 ecr 0,nop,wscale 8], 
> length 0
> 11:59:59.883002 IP S > C: Flags [S.], seq 1902939253, ack 517075945, win 
> 65535, options [nop,nop,md5 valid,mss 1400,sackOK,TS val 1751508479 ecr 
> 1751508483,nop,wscale 8], length 0
> 11:59:59.883012 IP C > S: Flags [.], ack 1, win 256, options [nop,nop,md5 
> valid,nop,nop,TS val 1751508483 ecr 1751508479], length 0
> 11:59:59.883114 IP C > S: Flags [P.], seq 1:13, ack 1, win 256, options 
> [nop,nop,md5 valid,nop,nop,TS val 1751508483 ecr 1751508479], length 12
> 11:59:59.883122 IP S > C: Flags [.], ack 13, win 256, options [nop,nop,md5 
> valid,nop,nop,TS val 1751508483 ecr 1751508483], length 0
> 11:59:59.883152 IP S > C: Flags [P.], seq 1:13, ack 13, win 256, options 
> [nop,nop,md5 valid,nop,nop,TS val 1751508484 ecr 1751508483], length 12
> 11:59:59.883170 IP C > S: Flags [.], ack 13, win 256, options [nop,nop,md5 
> valid,nop,nop,TS val 1751508484 ecr 1751508484], length 0
> 
> Of course, no SACK block will ever be added later, but nothing should break.
> Technically, we could remove the 4 nops included in MD5+TS options,
> but again some stacks could break seeing not conventional alignment.
> 
> Fixes: 4957faade11b ("TCPCT part 1g: Responder Cookie => Initiator")

I really love the archaeology of such artifacts :-)

> Signed-off-by: Eric Dumazet <eduma...@google.com>

Applied and queued up for -stable, thanks.

Reply via email to