Hi all, Just to inform people who may be interested, the ipsysctl tutorial has been released in a new version at http://ipsysctl-tutorial.frozentux.net. There are a lot of bugfixes in the new version, but no big additions at this time. I hope to spend more time the upcoming weeks with adding explanations about the route/ and neigh/ part of the sysctl''s though. Comments are welcome, as always. Before anyone asks this time, no I will not add explanations of the IPv6 sysctl''s at this time since I want to finish up what I have begun before I even think about that;). However, if anyone wants to, they are more than welcome to write those sections up themselves and send to me for inclusion. Sorry for taking you time, I hope this will be of some help. ---- Oskar Andreasson http://www.frozentux.net http://iptables-tutorial.frozentux.net http://ipsysctl-tutorial.frozentux.net mailto:blueflux@koffein.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wed, Oct 23, 2002 at 05:47:07PM +0200, Oskar Andreasson wrote:> First of all, I hope this is no inconvenience to anyone, but I thought it > may be of interest to some people on the netdev mailinglist as well. > Just to inform people who may be interested, the ipsysctl tutorial has > been released in a new version at http://ipsysctl-tutorial.frozentux.net. >I added a link to your pages to the HOWTO. Other lartc readers may also find your work interesting, check it out! Regards, bert hubert -- http://www.PowerDNS.com Versatile DNS Software & Services http://lartc.org Linux Advanced Routing & Traffic Control HOWTO _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Wed, 23 Oct 2002, bert hubert wrote:> On Wed, Oct 23, 2002 at 05:47:07PM +0200, Oskar Andreasson wrote: > > > First of all, I hope this is no inconvenience to anyone, but I thought it > > may be of interest to some people on the netdev mailinglist as well. > > Just to inform people who may be interested, the ipsysctl tutorial has > > been released in a new version at http://ipsysctl-tutorial.frozentux.net. > > > I added a link to your pages to the HOWTO. Other lartc readers may also find > your work interesting, check it out! >Thanks, very much appreciated:) ---- Oskar Andreasson http://www.frozentux.net http://iptables-tutorial.frozentux.net http://ipsysctl-tutorial.frozentux.net mailto:blueflux@koffein.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Oskar Andreasson wrote:>>>may be of interest to some people on the netdev mailinglist as well. >>>Just to inform people who may be interested, the ipsysctl tutorial has >>>been released in a new version at http://ipsysctl-tutorial.frozentux.net. >>> >>>I''d like to ask for some clarifications, if not quoting, in the tutorial on page x321.html (not sure of section numbers) re: syn cookies. Dan Bernstein (everyone''s favorite mathematician :-) ) makes it very clear on http://cr.yp.to/syncookies.html that your warnings are primarily FUD. For the sake of quoting: A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry Metzger) have been spreading misinformation about SYN cookies. Here are some of their bogus claims: * SYN cookies ``present serious violation of TCP protocol.'''' Reality: SYN cookies are fully compliant with the TCP protocol. Every packet sent by a SYN-cookie server is something that could also have been sent by a non-SYN-cookie server. * SYN cookies ``do not allow to use TCP extensions'''' such as large windows. Reality: SYN cookies don''t hurt TCP extensions. A connection saved by SYN cookies can''t use large windows; but the same is true without SYN cookies, because the connection would have been destroyed. * SYN cookies cause ``massive hanging connections.'''' Reality: With or without SYN cookies, connections occasionally hang because a computer or network is overloaded. Applications deal with this by simply dropping idle connections. * SYN cookies cause ``serious degradation of service.'''' Reality: SYN cookies /improve/ service. They do take a small amount of CPU time to compute, but that CPU time has to be spent anyway for hard-to-predict sequence numbers; see RFC 1948. * SYN cookies cause ``magic resets.'''' Reality: SYN cookies never cause resets. These people also have the annoying habit of crediting their bogus claims to other people, such as me. I don''t know whether to attribute this to malice or stupidity; either way, I would like the record to be set straight. I invited Kuznetsov to either retract or defend his claims. He refused to do so. I''m sure he''s aware by now that his claims are false, and that any attempted defense will be promptly ripped to shreds; but he''s still not admitting his errors. It''s unfortunate that he doesn''t have more respect for the truth. I also invited Akkerman to either retract or defend his claims. He did not respond. -- Michael T. Babcock C.T.O., FibreSpeed Ltd. http://www.fibrespeed.net/~mbabcock _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Michael, In short, I took Alexey on his words on this matter since I didn''t know about the statements below... However, I notice one _big_ if in the page you are referring to, which by the way is quite old (dated circa 1996). Take a look at this page which is linked from the document you showed: http://cr.yp.to/syncookies/archive According to this, we must turn off SACK and T/TCP for it to work: "4. TCP options such as RFC1323, SACK and T/TCP options cannot be used." Nowhere does the documents explain how these problems can be solved (I haven''t read the whole document yet, so I may burst out prematurely... but I wanted to respond to your questions:)). I will look closer on this and see if there''s any more up to date information on the matter, what happens with SACK etc if SYN cookies are turned on (may take a while, I will need to check the source code as usual I expect=)). On Wed, 23 Oct 2002, Michael T. Babcock wrote:> Oskar Andreasson wrote: > > >>>may be of interest to some people on the netdev mailinglist as well. > >>>Just to inform people who may be interested, the ipsysctl tutorial has > >>>been released in a new version at http://ipsysctl-tutorial.frozentux.net. > >>> > >>> > I''d like to ask for some clarifications, if not quoting, in the tutorial > on page x321.html (not sure of section numbers) re: syn cookies. > > Dan Bernstein (everyone''s favorite mathematician :-) ) makes it very > clear on http://cr.yp.to/syncookies.html that your warnings are > primarily FUD. For the sake of quoting: > > A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry > Metzger) have been spreading misinformation about SYN cookies. Here are > some of their bogus claims: > > * SYN cookies ``present serious violation of TCP protocol.'''' > Reality: SYN cookies are fully compliant with the TCP protocol. > Every packet sent by a SYN-cookie server is something that could > also have been sent by a non-SYN-cookie server. > * SYN cookies ``do not allow to use TCP extensions'''' such as large > windows. Reality: SYN cookies don''t hurt TCP extensions. A > connection saved by SYN cookies can''t use large windows; but the > same is true without SYN cookies, because the connection would > have been destroyed. > * SYN cookies cause ``massive hanging connections.'''' Reality: With > or without SYN cookies, connections occasionally hang because a > computer or network is overloaded. Applications deal with this by > simply dropping idle connections. > * SYN cookies cause ``serious degradation of service.'''' Reality: SYN > cookies /improve/ service. They do take a small amount of CPU time > to compute, but that CPU time has to be spent anyway for > hard-to-predict sequence numbers; see RFC 1948. > * SYN cookies cause ``magic resets.'''' Reality: SYN cookies never > cause resets. > > These people also have the annoying habit of crediting their bogus > claims to other people, such as me. I don''t know whether to attribute > this to malice or stupidity; either way, I would like the record to be > set straight. > > I invited Kuznetsov to either retract or defend his claims. He refused > to do so. I''m sure he''s aware by now that his claims are false, and that > any attempted defense will be promptly ripped to shreds; but he''s still > not admitting his errors. It''s unfortunate that he doesn''t have more > respect for the truth. > > I also invited Akkerman to either retract or defend his claims. He did > not respond. > >-- ---- Oskar Andreasson http://www.frozentux.net http://iptables-tutorial.frozentux.net http://ipsysctl-tutorial.frozentux.net mailto:blueflux@koffein.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Oskar Andreasson wrote:>However, I notice one _big_ if in the page you are referring to, which by >the way is quite old (dated circa 1996). >I have a distinct feeling that many IP based protocols don''t change a lot within these types of timespans. Look at how long IPv6 is taking to deploy.>"4. TCP options such as RFC1323, SACK and T/TCP options cannot be used." > >Nowhere does the documents explain how these problems can be solved (I >haven''t read the whole document yet, so I may burst out prematurely... but >I wanted to respond to your questions:)). >I would assume that those options use bits in the packet header that SYN cookies also use and therefore make unpredictable. I''m not sure either though. FWIW, I''ve run all my machines 2.2.x and up with SYN cookies turned on with no (known) ill effects; PCs and servers alike. -- Michael T. Babcock C.T.O., FibreSpeed Ltd. http://www.fibrespeed.net/~mbabcock _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> I''d like to ask for some clarifications, if not quoting, in the tutorial> on page x321.html (not sure of section numbers) re: syn cookies. I don''t understand what the question is here. > Dan Bernstein (everyone''s favorite mathematician :-) ) makes it very I was not aware of that. > clear on http://cr.yp.to/syncookies.html that your warnings are > primarily FUD. For the sake of quoting: > A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry > Metzger) have been spreading misinformation about SYN cookies. Here are > some of their bogus claims: I was also not aware of any such controversy, but I think the points below are correct. > * SYN cookies ``present serious violation of TCP protocol.'''' > Reality: SYN cookies are fully compliant with the TCP protocol. > Every packet sent by a SYN-cookie server is something that could > also have been sent by a non-SYN-cookie server. > * SYN cookies ``do not allow to use TCP extensions'''' such as large > windows. Reality: SYN cookies don''t hurt TCP extensions. A > connection saved by SYN cookies can''t use large windows; but the > same is true without SYN cookies, because the connection would > have been destroyed. > * SYN cookies cause ``massive hanging connections.'''' Reality: With > or without SYN cookies, connections occasionally hang because a > computer or network is overloaded. Applications deal with this by > simply dropping idle connections. > * SYN cookies cause ``serious degradation of service.'''' Reality: SYN > cookies /improve/ service. They do take a small amount of CPU time > to compute, but that CPU time has to be spent anyway for > hard-to-predict sequence numbers; see RFC 1948. > * SYN cookies cause ``magic resets.'''' Reality: SYN cookies never > cause resets. > > These people also have the annoying habit of crediting their bogus > claims to other people, such as me. I don''t know whether to attribute > this to malice or stupidity; either way, I would like the record to be > set straight. > > I invited Kuznetsov to either retract or defend his claims. He refused > to do so. I''m sure he''s aware by now that his claims are false, and that > any attempted defense will be promptly ripped to shreds; but he''s still > not admitting his errors. It''s unfortunate that he doesn''t have more > respect for the truth. > > I also invited Akkerman to either retract or defend his claims. He did > not respond. > _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Don Cohen wrote:> > I''d like to ask for some clarifications, if not quoting, in the tutorial > > on page x321.html (not sure of section numbers) re: syn cookies. > >I don''t understand what the question is here. >It isn''t a question (thus the lack of question mark). I asked for either a clarification or a quotation of the page mentionned in the FAQ to avoid confusion (or add some?) about syn cookies.> > Dan Bernstein (everyone''s favorite mathematician :-) ) makes it very > >I was not aware of that. >DJB, as he is known, tends to be a bit strong minded and has a habit of thinking that everyone should want what he wants. He also has a tendancy to write secure software and is a pretty good number cruncher too (has his own hash library, does cryptography, etc.) Some love him, some hate him, but if you search for ''DJB'' on Google, I''m sure you''ll find plenty.>I was also not aware of any such controversy, but I think the points >below are correct. >I have a good feeling they''re correct too, since I''ve been using syn cookies "forever" now without any problems of which I''m aware. I''m surprised those mentionned haven''t said anything (or that I haven''t read it yet) that contradicts DJB (who was involved in the design of SYN cookies). -- Michael T. Babcock C.T.O., FibreSpeed Ltd. http://www.fibrespeed.net/~mbabcock _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, Oct 28, 2002 at 03:16:45PM -0500, Michael T. Babcock wrote:> It isn''t a question (thus the lack of question mark). I asked for > either a clarification or a quotation of the page mentionned in the FAQ > to avoid confusion (or add some?) about syn cookies.Please keep this stuff off lartc.org. There has been enough flaming regarding SYN cookies and whatnot. I actually know some of the people mentioned on DJBs page in real life and they are bone tired of it all too. So give it a rest. Please do not respond to this message Regards, Bert Hubert Your Kind List Administrator -- http://www.PowerDNS.com Versatile DNS Software & Services http://lartc.org Linux Advanced Routing & Traffic Control HOWTO _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
bert hubert wrote:>Please keep this stuff off lartc.org. There has been enough flaming >regarding SYN cookies and whatnot. >Put that on the mailing list FAQ then; otherwise its fair game.>I actually know some of the people mentioned on DJBs page in real life and >they are bone tired of it all too. >I''m not quite convinced that my being tired of something or not prevents you from telling me I''m wrong about something or requesting discussion about it -- especially when its material relevant to the subject of the list. PS, assuming they are tired of it, why have I never seen a good (well-prepared / documented) commentary on the issue from any of them? However,>So give it a rest. Please do not respond to this message >Obviously, I replied -- but I''m sure you expected as much when you sent your message. You''re free of course to boot me from the list if you feel that my desiring clarification on a long-standing issue (in two whole messages; three with this one) is too much for you to handle. In case you''re wondering, I''m not much of a DJB supporter myself, but I do appreciate (and usually demand) accuracy, especially where it affects my servers and my work. FUD, on either side, is not appreciated, in the least, nor is complete silence.>Your Kind List Administrator >-- Michael T. Babcock C.T.O., FibreSpeed Ltd. http://www.fibrespeed.net/~mbabcock _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, 28 Oct 2002, Don Cohen wrote:> > > I''d like to ask for some clarifications, if not quoting, in the tutorial > > on page x321.html (not sure of section numbers) re: syn cookies. > > I don''t understand what the question is here.The question is that I state that turning on syncookies may wreak havoc on the TCP stack, which Dan Bernstein totally disagrees with.> > > Dan Bernstein (everyone''s favorite mathematician :-) ) makes it very > > I was not aware of that.Well, he is rather interesting:). Has a lot of interesting ideas and was/is the original author of qmail and tinydns and a couple of other projects if I am not totally off base. According to himself, he has published some 200k rows of code/text online.> > > clear on http://cr.yp.to/syncookies.html that your warnings are > > primarily FUD. For the sake of quoting: > > A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry > > Metzger) have been spreading misinformation about SYN cookies. Here are > > some of their bogus claims: > > I was also not aware of any such controversy, but I think the points > below are correct.To an extent, but... most of what he is using to prove his point on that page is taken from 1996, and in computer terms, that is ancient:). My main doubts are neither of the below points actually, but the fact that syn cookies seem to shred up SACK and T/TCP support. In 1996 this was no problem since it wasn''t implemented in Linux, but today it is... and turned on per default... My question hence is, how is the state of syn cookies today? How does it actually affect SACK, T/TCP, ECN, and other new extensions? That''s what I want to find out before making a more final statement in the document. (erh, ok it sounds kind of final as it looks right now, but I want to check it up at least before doing any final statements).> > > * SYN cookies ``present serious violation of TCP protocol.'''' > > Reality: SYN cookies are fully compliant with the TCP protocol. > > Every packet sent by a SYN-cookie server is something that could > > also have been sent by a non-SYN-cookie server. > > * SYN cookies ``do not allow to use TCP extensions'''' such as large > > windows. Reality: SYN cookies don''t hurt TCP extensions. A > > connection saved by SYN cookies can''t use large windows; but the > > same is true without SYN cookies, because the connection would > > have been destroyed. > > * SYN cookies cause ``massive hanging connections.'''' Reality: With > > or without SYN cookies, connections occasionally hang because a > > computer or network is overloaded. Applications deal with this by > > simply dropping idle connections. > > * SYN cookies cause ``serious degradation of service.'''' Reality: SYN > > cookies /improve/ service. They do take a small amount of CPU time > > to compute, but that CPU time has to be spent anyway for > > hard-to-predict sequence numbers; see RFC 1948. > > * SYN cookies cause ``magic resets.'''' Reality: SYN cookies never > > cause resets. > > > > These people also have the annoying habit of crediting their bogus > > claims to other people, such as me. I don''t know whether to attribute > > this to malice or stupidity; either way, I would like the record to be > > set straight. > > > > I invited Kuznetsov to either retract or defend his claims. He refused > > to do so. I''m sure he''s aware by now that his claims are false, and that > > any attempted defense will be promptly ripped to shreds; but he''s still > > not admitting his errors. It''s unfortunate that he doesn''t have more > > respect for the truth. > > > > I also invited Akkerman to either retract or defend his claims. He did > > not respond. > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >-- ---- Oskar Andreasson http://www.frozentux.net http://iptables-tutorial.frozentux.net http://ipsysctl-tutorial.frozentux.net mailto:blueflux@koffein.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Oskar Andreasson wrote:>My question hence is, how is the state of syn cookies today? How does it >actually affect SACK, T/TCP, ECN, and other new extensions? That''s what I >want to find out before making a more final statement in the document. >(erh, ok it sounds kind of final as it looks right now, but I want to >check it up at least before doing any final statements). >According to the netfilter documentation at <http://logi.cc/linux/netfilter-log-format.php3>, you should always have SYN cookies on with publically accessible TCP ports (log analysis page, fwiw). Paper on advanced TCP algorithms: http://www.google.ca/search?q=cache:vVQeUAOMmnoC:www.ce.chalmers.se/staff/otel/papers-mine/tcp-improvements/TCP-improvements.ps+linux+syn+cookies+ecn+sack&hl=en&ie=UTF-8 Advantages and flaws of T/TCP: http://www.linuxgazette.com/issue47/stacey.html "SYN cookies were implemented in the Linux kernel to combat this attack. It involves sending a cookie to the sender to verify the connection is valid. SYN cookies cause problems with T/TCP as no TCP options are sent in the cookie and any data arriving in the initial SYN can''t be used immediately. The CC option in T/TCP does provide some protection on its own, but it is not secure enough." Mailing list discussion on cookies and T/TCP from 1998: http://www.uwsg.iu.edu/hypermail/linux/kernel/9804.1/0650.html FWIW, could the kernel code that uses T/TCP automagically disable SYN cookies for those packets? -- Michael T. Babcock C.T.O., FibreSpeed Ltd. http://www.fibrespeed.net/~mbabcock _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/