Re: [PATCH 00/19] tcp: Initial support for RFC5925 auth option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/22/21 11:23 PM, Francesco Ruggeri wrote:
On Tue, Sep 21, 2021 at 9:15 AM Leonard Crestez <cdleonard@xxxxxxxxx> wrote:
* Sequence Number Extension not implemented so connections will flap
every ~4G of traffic.

Could you expand on this?
What exactly do you mean by flap? Will the connection be terminated?
I assume that depending on the initial sequence numbers the first flaps
may occur well before 4G.
Do you use a SNE of 0 in the hash computation, or do you just not include
the SNE in it?

SNE is hardcoded to zero, with the logical consequence of incorrect signatures on sequence number wrapping. The SNE has to be included because otherwise all signatures would be invalid.

You are correct that this can break much sooner than 4G of traffic, but still in the GB range on average. I didn't test the exact behavior (not clear how) but if signatures don't validate the connection will likely timeout.

My plan is to use TCP_REPAIR to control sequence numbers and test this reliably in an isolated environment (not interop with a cisco VM or similar). I want to implement TCP_REPAIR support for TCP-AO anyway.

It was skipped because the patch series is already quite large.

--
Regards,
Leonard



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux