Re: [tcpm] TCP Long Options - Why not as payload in SYNs?
Christian Huitema <huitema@windows.microsoft.com> Mon, 14 July 2008 21:59 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0A92128C347; Mon, 14 Jul 2008 14:59:42 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 17C1B28C347 for <tcpm@core3.amsl.com>; Mon, 14 Jul 2008 14:59:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AqrwlrfW8dcL for <tcpm@core3.amsl.com>; Mon, 14 Jul 2008 14:59:40 -0700 (PDT)
Received: from smtp.microsoft.com (mail1.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id 478593A6842 for <tcpm@ietf.org>; Mon, 14 Jul 2008 14:59:40 -0700 (PDT)
Received: from tk1-exhub-c103.redmond.corp.microsoft.com (157.54.46.187) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.1.251.2; Mon, 14 Jul 2008 15:00:06 -0700
Received: from tk5-exmlt-w601.wingroup.windeploy.ntdev.microsoft.com (157.54.18.32) by tk1-exhub-c103.redmond.corp.microsoft.com (157.54.46.187) with Microsoft SMTP Server id 8.1.240.5; Mon, 14 Jul 2008 15:00:06 -0700
Received: from NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com ([fe80::8de9:51a2:cd62:f122]) by tk5-exmlt-w601.wingroup.windeploy.ntdev.microsoft.com ([157.54.18.32]) with mapi; Mon, 14 Jul 2008 14:59:04 -0700
From: Christian Huitema <huitema@windows.microsoft.com>
To: Joe Touch <touch@ISI.EDU>
Date: Mon, 14 Jul 2008 15:00:04 -0700
Thread-Topic: [tcpm] TCP Long Options - Why not as payload in SYNs?
Thread-Index: Acjl+F9KFGgwUjqSTqezIAyjfCp2WQAA5lfQ
Message-ID: <8EFB68EAE061884A8517F2A755E8B60A0AA17C60F8@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com>
References: <20080714121424.GA31382@ikr.uni-stuttgart.de> <78C9135A3D2ECE4B8162EBDCE82CAD7703E66F37@nekter> <487BAFCF.3020402@isi.edu> <487BBF1C.7000101@isi.edu>
In-Reply-To: <487BBF1C.7000101@isi.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
Cc: "tcpm@ietf.org" <tcpm@ietf.org>, Caitlin Bestler <Caitlin.Bestler@neterion.com>
Subject: Re: [tcpm] TCP Long Options - Why not as payload in SYNs?
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
> >> Any stack that uses SYN Cookies, or wants the option to, will reject > >> any SYN that has payload. > > > > Why couldn't it ACK the SYN but not the data, and compute the cookie > > based on the header only (as with an 'empty' SYN?) > > Note that this is a valid response only where the data is NOT > interpreted as extended option space. > > AFAICT, SYN cookies are incompatible with long options, and yes, > rejecting them is the appropriate response if cookies are required for > all connections. Also, SYN cookies are only one specific defense against SYN flooding attacks. They are a good defense if the main worry is the memory consumed by connection state. They have however two drawbacks: they do nothing about "back flood", i.e. saturating the output NIC and link with SYN-ACK; and they diminish the robustness of the connection set-up for all applications where the first message comes from the server. When experimenting with these attacks, I found that we can achieve a good defense with a combination of "short" state information in memory for the "half open" connections, and rate limiting of the number of SYN that a system is willing to process. Cookies would not help much, if at all. -- Christian Huitema _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] TCP Long Options - Why not as payload in S… Michael Scharf
- Re: [tcpm] TCP Long Options - Why not as payload … Adam Langley
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Michael Scharf
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Adam Langley
- Re: [tcpm] TCP Long Options - Why not as payload … Caitlin Bestler
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Christian Huitema
- Re: [tcpm] TCP Long Options - Why not as payload … Sergio Freire
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Adam Langley
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch