Oskar Andreasson wrote: >>>may be of interest to some people on the netdev mailinglist as well. >>>Just to inform people who may be interested, the ipsysctl tutorial has >>>been released in a new version at http://ipsysctl-tutorial.frozentux.net. >>> >>> I'd like to ask for some clarifications, if not quoting, in the tutorial on page x321.html (not sure of section numbers) re: syn cookies. Dan Bernstein (everyone's favorite mathematician :-) ) makes it very clear on http://cr.yp.to/syncookies.html that your warnings are primarily FUD. For the sake of quoting: A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry Metzger) have been spreading misinformation about SYN cookies. Here are some of their bogus claims: * SYN cookies ``present serious violation of TCP protocol.'' Reality: SYN cookies are fully compliant with the TCP protocol. Every packet sent by a SYN-cookie server is something that could also have been sent by a non-SYN-cookie server. * SYN cookies ``do not allow to use TCP extensions'' such as large windows. Reality: SYN cookies don't hurt TCP extensions. A connection saved by SYN cookies can't use large windows; but the same is true without SYN cookies, because the connection would have been destroyed. * SYN cookies cause ``massive hanging connections.'' Reality: With or without SYN cookies, connections occasionally hang because a computer or network is overloaded. Applications deal with this by simply dropping idle connections. * SYN cookies cause ``serious degradation of service.'' Reality: SYN cookies /improve/ service. They do take a small amount of CPU time to compute, but that CPU time has to be spent anyway for hard-to-predict sequence numbers; see RFC 1948. * SYN cookies cause ``magic resets.'' Reality: SYN cookies never cause resets. These people also have the annoying habit of crediting their bogus claims to other people, such as me. I don't know whether to attribute this to malice or stupidity; either way, I would like the record to be set straight. I invited Kuznetsov to either retract or defend his claims. He refused to do so. I'm sure he's aware by now that his claims are false, and that any attempted defense will be promptly ripped to shreds; but he's still not admitting his errors. It's unfortunate that he doesn't have more respect for the truth. I also invited Akkerman to either retract or defend his claims. He did not respond. -- Michael T. Babcock C.T.O., FibreSpeed Ltd. http://www.fibrespeed.net/~mbabcock _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
