On Mon, 28 Oct 2002, Don Cohen wrote: > > > I'd like to ask for some clarifications, if not quoting, in the tutorial > > on page x321.html (not sure of section numbers) re: syn cookies. > > I don't understand what the question is here. The question is that I state that turning on syncookies may wreak havoc on the TCP stack, which Dan Bernstein totally disagrees with. > > > Dan Bernstein (everyone's favorite mathematician :-) ) makes it very > > I was not aware of that. Well, he is rather interesting:). Has a lot of interesting ideas and was/is the original author of qmail and tinydns and a couple of other projects if I am not totally off base. According to himself, he has published some 200k rows of code/text online. > > > clear on http://cr.yp.to/syncookies.html that your warnings are > > primarily FUD. For the sake of quoting: > > A few people (notably Alexey Kuznetsov, Wichert Akkerman, and Perry > > Metzger) have been spreading misinformation about SYN cookies. Here are > > some of their bogus claims: > > I was also not aware of any such controversy, but I think the points > below are correct. To an extent, but... most of what he is using to prove his point on that page is taken from 1996, and in computer terms, that is ancient:). My main doubts are neither of the below points actually, but the fact that syn cookies seem to shred up SACK and T/TCP support. In 1996 this was no problem since it wasn't implemented in Linux, but today it is... and turned on per default... My question hence is, how is the state of syn cookies today? How does it actually affect SACK, T/TCP, ECN, and other new extensions? That's what I want to find out before making a more final statement in the document. (erh, ok it sounds kind of final as it looks right now, but I want to check it up at least before doing any final statements). > > > * SYN cookies ``present serious violation of TCP protocol.'' > > Reality: SYN cookies are fully compliant with the TCP protocol. > > Every packet sent by a SYN-cookie server is something that could > > also have been sent by a non-SYN-cookie server. > > * SYN cookies ``do not allow to use TCP extensions'' such as large > > windows. Reality: SYN cookies don't hurt TCP extensions. A > > connection saved by SYN cookies can't use large windows; but the > > same is true without SYN cookies, because the connection would > > have been destroyed. > > * SYN cookies cause ``massive hanging connections.'' Reality: With > > or without SYN cookies, connections occasionally hang because a > > computer or network is overloaded. Applications deal with this by > > simply dropping idle connections. > > * SYN cookies cause ``serious degradation of service.'' Reality: SYN > > cookies /improve/ service. They do take a small amount of CPU time > > to compute, but that CPU time has to be spent anyway for > > hard-to-predict sequence numbers; see RFC 1948. > > * SYN cookies cause ``magic resets.'' Reality: SYN cookies never > > cause resets. > > > > These people also have the annoying habit of crediting their bogus > > claims to other people, such as me. I don't know whether to attribute > > this to malice or stupidity; either way, I would like the record to be > > set straight. > > > > I invited Kuznetsov to either retract or defend his claims. He refused > > to do so. I'm sure he's aware by now that his claims are false, and that > > any attempted defense will be promptly ripped to shreds; but he's still > > not admitting his errors. It's unfortunate that he doesn't have more > > respect for the truth. > > > > I also invited Akkerman to either retract or defend his claims. He did > > not respond. > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- ---- Oskar Andreasson http://www.frozentux.net http://iptables-tutorial.frozentux.net http://ipsysctl-tutorial.frozentux.net mailto:blueflux@koffein.net _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/