On Thu, Jan 13, 2005 at 07:31:58PM +0100, Iago Rubio wrote: > [quote] > syncookies seriously violate TCP protocol, do not allow to use TCP > extensions, can result in serious degradation of some services (f.e. > SMTP relaying), visible not by you, but your clients and relays, > contacting you. > [/quote] The protocol violation claim is IMHO garbage. Most of the reason syn cookies are not used under high load by default is because they were invented by Dan Bernstein. The extensions are problematic but this kicks in mostly at the point where things are not working full stop. There are some things it does confuse a little - programs expecting that the server will intentionally ignore and not make connections when busy for example. > 2.- You can't use extensions as T/TCP with syncookies. T/TCP is an experiment that is dead, it also violates the TCP specification and turned out to have security issues. So T/TCP is dead. OTOH under load you do lose SACK, FACK, PAWS, large windows and some other really useful features.
