> I'd like to ask for some clarifications, if not quoting, in the tutorial > on page x321.html (not sure of section numbers) re: syn cookies. I don't understand what the question is here. > Dan Bernstein (everyone's favorite mathematician :-) ) makes it very I was not aware of that. > clear on http://cr.yp.to/syncookies.html that your warnings are > primarily FUD. For the sake of quoting: > A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry > Metzger) have been spreading misinformation about SYN cookies. Here are > some of their bogus claims: I was also not aware of any such controversy, but I think the points below are correct. > * SYN cookies ``present serious violation of TCP protocol.'' > Reality: SYN cookies are fully compliant with the TCP protocol. > Every packet sent by a SYN-cookie server is something that could > also have been sent by a non-SYN-cookie server. > * SYN cookies ``do not allow to use TCP extensions'' such as large > windows. Reality: SYN cookies don't hurt TCP extensions. A > connection saved by SYN cookies can't use large windows; but the > same is true without SYN cookies, because the connection would > have been destroyed. > * SYN cookies cause ``massive hanging connections.'' Reality: With > or without SYN cookies, connections occasionally hang because a > computer or network is overloaded. Applications deal with this by > simply dropping idle connections. > * SYN cookies cause ``serious degradation of service.'' Reality: SYN > cookies /improve/ service. They do take a small amount of CPU time > to compute, but that CPU time has to be spent anyway for > hard-to-predict sequence numbers; see RFC 1948. > * SYN cookies cause ``magic resets.'' Reality: SYN cookies never > cause resets. > > These people also have the annoying habit of crediting their bogus > claims to other people, such as me. I don't know whether to attribute > this to malice or stupidity; either way, I would like the record to be > set straight. > > I invited Kuznetsov to either retract or defend his claims. He refused > to do so. I'm sure he's aware by now that his claims are false, and that > any attempted defense will be promptly ripped to shreds; but he's still > not admitting his errors. It's unfortunate that he doesn't have more > respect for the truth. > > I also invited Akkerman to either retract or defend his claims. He did > not respond. > _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
